To prevent search engines crawling the raw content in attatchments, the auth_request facility has been brought into use. It should be possible to duplicate on apache but not tested that. The original thought was to use 'internal' forwarding, but one needs the extra checks that auth_request provides to determine which role set is being allowed for a user or the anonomous user.

3 files changed, 206 insertions, 0 deletions

diff --git a/config/kernel/auth_check.php b/config/kernel/auth_check.php
new file mode 100755
index 0000000..d3c2586
--- /dev/null
+++ b/config/kernel/auth_check.php
@@ -0,0 +1,33 @@
+<?php
+// Minimal session check - no framework bootstrap
+include 'auth_config.php';
+
+if( !empty( $_SESSION['user_role'] ) && $_SESSION['user_role'] > 0 ) {
+    http_response_code(200);
+	exit;
+}
+
+// anonymous - check content_id from URI
+preg_match( '|/attachments/\d+/(\d+)/|', $_SERVER['REQUEST_URI'], $matches );
+
+if( !empty( $matches[1] ) ) {
+    $contentId = (int)$matches[1];
+    try {
+        $pdo = new PDO( $gBitDbHost, $gBitDbUser, $gBitDbPassword );
+        $stmt = $pdo->prepare(
+            "SELECT COUNT(*) FROM LIBERTY_CONTENT_ROLE_MAP 
+             WHERE content_id = ?"
+        );
+        $stmt->execute( [$contentId] );
+        if( $stmt->fetchColumn() == 0 ) {
+            http_response_code( 200 );
+		} else {
+			http_response_code( 403 );
+		}
+    } catch( PDOException $e ) {
+        // db failure - deny access safely
+        http_response_code( 403 );
+        exit;
+    }
+    exit;
+}
\ No newline at end of file
diff --git a/config/kernel/auth_config.php b/config/kernel/auth_config.php
new file mode 100755
index 0000000..020e8d8
--- /dev/null
+++ b/config/kernel/auth_config.php
@@ -0,0 +1,6 @@
+<?php
+session_name( 'bit-user-mergdemosite' );
+session_start();
+$gBitDbHost='firebird:dbname=localhost:xxxx;charset=utf8;';
+$gBitDbUser='XXXX';
+$gBitDbPassword='pppp';
diff --git a/config/kernel/config_inc.php b/config/kernel/config_inc.php
new file mode 100755
index 0000000..5ae7154
--- /dev/null
+++ b/config/kernel/config_inc.php
@@ -0,0 +1,167 @@
+<?php
+// Copyright (c) 2006, bitweaver.org
+// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE.
+
+// The following line is required and should not be altered
+global $gBitDbType, $gBitDbHost, $gBitDbUser, $gBitDbPassword, $gBitDbName, $gBitDbCaseSensitivity, $smarty_force_compile, $gDebug, $gPreScan;
+
+
+             /******************************************************\
+              ***************   Database settings   **************** 
+             \******************************************************/
+
+// You can choose between different Database abstraction layers. Currently we support:
+//    adodb          ADODB
+//                   this is the default setting and is bundled with bitweaver
+//    pear           PEAR::DB
+//                   when using this, you can even remove the util/adodb directory
+$gBitDbSystem = "adodb";
+
+
+// bitweaver can store its data in multiple different back-ends. Currently we
+// support MySQL, MSSQL, Firebird, Sybase, PostgreSQL and Oracle.  Enter the
+// hostname where your database lives, and the username and password you use to
+// connect to it.
+//
+// You must specify the name of a database that already exists. bitweaver will not
+// create the database for you, because it's very difficult to do that in a
+// reliable, database-neutral fashion. The user that you use should have the
+// following permissions:
+//
+//    SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP
+//
+// The possible database types that we support are:
+//    mysql          Standard MySQL
+//    mysqli         New MySQL driver
+//    sqlite         SQLLite
+//    mssql          MS-SQL (experimental)
+//    postgres       PostgreSQL 7.x
+//    oci8po         Oracle (9i and newer)
+//    firebird       FireBird
+//    sybase         Sybase
+$gBitDbType="pdo";
+
+// Database name
+$gBitDbName="xxxx";
+
+// Hostname or IP for your database.
+// Some examples:
+//    'localhost' if you are running the database on the same machine as bitweaver
+//    If you use Oracle, insert your TNS Name here
+//    If you use SQLite, insert the path and filename to your database file
+$gBitDbHost="firebird:dbname=localhost:$gBitDbName;charset=utf8;";
+
+// Database username
+$gBitDbUser="XXXX";
+
+// Database password
+$gBitDbPassword="pppp";
+
+// Database field case default
+$gBitDbCaseSensitivity="";
+
+// This prefix will be prepended to the begining of every table name to allow
+// multiple independent installs to share a single database. By ending the prefix
+// with a '.' (period) you can use a schema in systems that support it. Backticks
+// '`' around the '.' are required if present. A schema example is: 'bit`.`'
+define( 'BIT_DB_PREFIX', '' );
+
+
+             /******************************************************\
+              *************** Environment Settings  **************** 
+             \******************************************************/
+
+// Setting IS_LIVE to TRUE will let the application know that this site is a live
+// production site and is not used for testing purposes.  This will prevent any
+// nasty error pages from appearing and will redirect the user to a 'nicer' error
+// page. Errors should still show up in your error logs. Please use these when
+// submitting bugs to http://sourceforge.net/tracker/?group_id=141358&atid=749176
+define( 'IS_LIVE', false );
+
+
+// if you set AUTO_BUG_SUBMIT to TRUE bitweaver will automatically email the team
+// with details regarding the error.  Alternatively you can submit bugs to
+// http://sourceforge.net/tracker/?group_id=141358&atid=749176 which will probably
+// get processed faster since more people have access to these.
+define( 'AUTO_BUG_SUBMIT', false );
+
+
+// This is the path from the server root to your bitweaver location.  i.e. if you
+// access bitweaver as 'http://MyServer.com/applications/new/wiki/index.php' you
+// should enter '/applications/new/'
+define( 'BIT_ROOT_URL', '/' );
+
+
+// Here you can set the valid base URI for your site. If you do not set this, we
+// will automatically determine a working value. You can force the use of a 
+// specific URI here by putting something like: 'http://myfiles.example.com'
+//define( 'BIT_ROOT_URI', 'http://myfiles.example.com' );
+
+
+// Add default STORAGE_HOST_URI for optionally splitting off storage files to 
+// separate host. This will allow you to serve thumbnails and other files from 
+// a different server to your web server. If this is not set, we will use 
+// BIT_ROOT_URI instead. Put something like: 'http://myfiles.example.com'
+//define( 'STORAGE_HOST_URI', 'http://myfiles.example.com' );
+
+
+// This allows you to set a custom path to your PHP tmp directory - used for ADODB
+// caching if active, and other stuff This is usually only needed in very
+// restrictive hosting environments.
+$gTempDir = '/srv/tmp/'.$gBitDbName;
+
+
+// $gPreScan can be used to specify the order in which packages are scanned by
+// the kernel.  In the example provided below, the kernel package is processed
+// first, followed by the users and liberty packages.  Any packages not specified
+// in $gPreScan are processed in the traditional order
+//$gPreScan = [ 'kernel', 'storage', 'liberty', 'themes', 'users' ];
+
+// $gThumbSizes defines the image thumbnail sizes that will be autogenerated when
+// images are uploaded and processed. The example provided shows the default sizes
+// that are used. You can add as many sizes as you want if you override the default. 
+$gThumbSizes = [
+		'extra-large'  => [ 'width' => 1024, 'height' => 1024 ],
+		'large'  => [ 'width' => 800, 'height' => 800 ],
+		'medium' => [ 'width' => 400, 'height' => 400 ],
+		'small'  => [ 'width' => 160, 'height' => 160 ],
+		'avatar' => [ 'width' => 100, 'height' => 100 ],
+		'icon'   => [ 'width' => 48,  'height' => 48 ],
+];
+
+define( 'LIBERTY_DEFAULT_MIME_HANDLER', 'mimeflatdefault' );
+
+
+             /******************************************************\
+              ***************   Debugging Options   **************** 
+             \******************************************************/
+
+// If you wish to force compiling of every page, you can set the next setting to
+// TRUE. this will, however, severly impact performance since every page that is
+// generated is generated afresh and the cache is recreated every time.
+$smarty_force_compile = FALSE;
+
+
+// Setting TEMPLATE_DEBUG = TRUE will output <!-- <called templates> --> in your
+// templates, which will allow you to track all used templates in the HTML source
+// of the page. This will also disable stripping of whitespace making it easier to
+// read the templates. You will only see the effect of the strip changes by
+// clearing out your cache or setting $smarty_force_compile = TRUE;
+// Note: be sure to set this to FALSE and clear out the cache once done since it
+//       will increase the page size by at least 10%.
+//define( 'TEMPLATE_DEBUG', TRUE );
+
+// If you want to go a step further with template debugging then this enables
+// smarty's debugging console.  A popup with a dump of all of the vars the
+// template(s) have been passed.
+$smarty_debugging = FALSE;
+
+
+// This statement will enable you to view all database queries made
+//$gDebug = TRUE;
+
+
+// This will turn on ADODB performance monitoring and log all queries. This should
+// not be enabled except when doing query analysis due to an overall performance
+// drop.  see kernel/admin/db_performance.php for statistics
+//define( 'DB_PERFORMANCE_STATS', TRUE );