id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc
13	default permissions on MediaWiki uploads directory	andersk		"andersk:
  Try running the following commands from Athena. This will grant
system:anyuser permission to read the images directory of your wiki (and
all its subdirectories).
  {{{
add scripts
attach 11.306
cd /mit/11.306/web_scripts/shenzhen/images
fssar system:anyuser read
  }}}

andersk:
  Why doesn't our Mediawiki installer do this by default?

jbarnold:
  Some users want to restrict access to some or all of their wiki content. I agree that the current situation is not ideal and that we should do something to improve it, if possible.

geofft:
  It might be reasonable to use one of the application-reserved AFS bits (A-H) to indicate ""serve all files in this folder raw, provided that .htaccess or something doesn't restrict permission on the file"". One way to do this would be to let the sketchy AFS patch allow read on the file if both daemon.scripts has one of these bits, and if the current UID is apache's. (Can the AFS patch detect application bits in a decent manner?)

jbarnold:
  Files that have been chmod-ed 777 are currently ""scripts.mit.edu apache""-readable, which is similar to the behavior that you describe (except that it would be a property of the directory rather than a property of the file).
  
  We could then have our automatic installers set that bit on all ""uploads"" directories. That might be a good plan -- I'll need to think about it a bit more. What do other people think of this idea?
"	defect	new	major		web