Since the short Url feature is being added to Tiki, could it not be combined with file galleries such that a file in a gallery is linked or displayed by using a short Url instead of the file Id?
This will enhance security and add new functionality to Tiki. Currently the value of fileId is sequentially generated and is therefore predictable: visitors can easily scrape off files from a tiki install by using tiki_download and incrementing the value of fileId inside a loop. Additionally, files can be hotlinked.
To fortify tiki against this, all that needs to be done is to combine the new short Url functionality with file galleries: if plugin files is used with a parameter, say "mask" or "obfuscate", then the fileId will be substituted with a short code. For example, the user enters tiki-download_file.php?fileId=1 in the wiki text editor, just as before, but if the obfuscate="y" parameter is used then the html will show tiki-download_file.php?fileId=RandomShortURLhghhgfftrdfgnj
As an additional feature, if the duration (life / validity) of the short code can be user defined per gallery / file / plugin files parameter, then tiki-download_file.php?fileId=RandomShortURLhghhgfftrdfgnj will stop serving fileId=1 after that time. Tiki could then be made to serve content via perishable and non predictable file names - just like the big CDN companies such as Akamai do.
I imagine this would be fairly simple to implement and would add a very useful feature to Tiki.
For a simple implementation of this idea, see:
https://github.com/spatie/url-signer
To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
The URL for the show.tikiwiki.org instance that demonstrates this bug is at: http://user-11839-6238.show.tikiwiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://user-11839-6238.show.tikiwiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
Snapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show.tikiwiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://user-11839-6238.show.tikiwiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Create new snapshotfilename | created | hits | comment | version | filetype | ||
---|---|---|---|---|---|---|---|
No attachments for this item |