Photo Organizer

  • Status Closed
  • Percent Complete
  • Task Type Feature Request
  • Category Backend / Core
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version 2.34
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Photo Organizer
Opened by pizza - 2008-01-31
Last edited by pizza - 2008-03-02

FS#319 - Enhance local filesystem uploads to be secure and universal.

Currently the user specifies a path. This grants the user full access to anything on the filesystem that the webserver can access.

To allow this feature for everyone without giving away the security farm, there has to be a non-modifiable per-user upload path.

$bulk_upload_base = '/var/po/uploads/%u/'; /* %u gets replaced with userid or username */


1) Mechanism for uploading files needs to map to a PO user (and hence the path) and disallow access to other users' files -- this is more complicated when you consider:
2) Files need to be deletable by the web server's user -- as files are imported, they must be removed from the 'upload path'.

(2) can be sort-of worked around by making the directories group-writable by the webserver, but the problem of subdirs still applies.

(1) Is entirely site-specific. In the end, perhaps as part of the user creation process, upload subdirs are created for each user, and it's up to the site admin to figure out how to do it.

Closed by  pizza
2008-03-02 00:30
Reason for closing:  Implemented
Additional comments about closing:  r1949.


Available keyboard shortcuts


Task Details

Task Editing