Bug 364103 – No permission to access an uploaded (attached) file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 364103 - No permission to access an uploaded (attached) file


Summary:	No permission to access an uploaded (attached) file


Status:	RESOLVED OBSOLETE

Product:	website
Classification:	Infrastructure
Component:	wiki.gnome.org
Version:	current
Hardware:	Other All

Importance:	Normal major
Target Milestone:	---
Assigned To:	Wiki maintainers
QA Contact:	Wiki maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-10-22 07:55 UTC by Michael Zeising
Modified:	2018-09-24 10:05 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Michael Zeising 2006-10-22 07:55:33 UTC

Please describe the problem:
I've just uploaded a new file to live.gnome.org/Gedit/LaTeXPlugin. When someone clicks on the link to download it again, he gets a 403 Forbidden.

Steps to reproduce:
1. 
2. 
3. 


Actual results:


Expected results:


Does this happen every time?
Yes

Other information:

Comment 1 Thilo 2006-10-22 11:10:03 UTC

I can confirm that for this URL:
http://live.gnome.org/data/Gedit(2f)LaTeXPlugin/attachments/LaTeXPlugin-20061021.tar.bz2

attachment:LaTeXPlugin-20061021.tar.bz2

I guess this is a question of ownership for that file.

Comment 2 Luis Menina 2006-11-29 23:41:50 UTC

Can someone do something for this ?
This is very disturbing when we want to give some useful files to users. I especially would like to give a c file for a tutorial ( http://live.gnome.org/GtkStatusIconTutorial ), or jhbuildrc files ready for my distro ( http://live.gnome.org/JhbuildDependencies/MandrivaLinux ), and copy/pasting the file is a pain in the ass.

Comment 3 Quim Gil 2006-11-30 10:21:32 UTC

Sorry, all I can do is try to chase the live.gnome.org sysadmin or someone able to help: http://mail.gnome.org/archives/gnome-web-list/2006-November/msg00163.html

Comment 4 Ross Golder 2006-12-18 00:02:50 UTC

After just fixing the perms for someone else who reported a similar thing via our request tracker, I decided to see how many other files we'd got with unusual permissions: 

[root@label attachments]# find . -perm 600 -ls
2144069    4 -rw-------   1 moin     moin         3617 Nov  2 00:18 ./MairinDuffy/attachments/test.png
2061958  100 -rw-------   1 moin     moin        95711 Nov  9 15:12 ./Gedit(2f)LaTeXPlugin/attachments/LaTeXPlugin-20061109.tar.bz2
2062978  100 -rw-------   1 moin     moin        96281 Nov 12 09:52 ./Gedit(2f)LaTeXPlugin/attachments/LaTeXPlugin-20061112.tar.bz2
1996941   44 -rw-------   1 moin     moin        43049 Dec 17 12:31 ./GnomeMarketing/attachments/gmt-spreadtheword2.png
2158949    4 -rw-------   1 moin     moin         1770 Nov 29 14:23 ./GtkStatusIconTutorial/attachments/gtk-status-icon-test.c
2143368   44 -rw-------   1 moin     moin        41380 Oct 25 19:26 ./ThreePointZero(2f)CircularMenus/attachments/piemenu_ss.png
2044457   12 -rw-------   1 moin     moin         8494 Nov 21 10:19 ./GnomeArt(2f)Tutorials(2f)GtkThemes(2f)GtkNotebook/attachments/tab-geometry.png
2079816    4 -rw-------   1 moin     moin         2681 Nov 20 04:55 ./RichardRuhland(2f)Project/attachments/nuvola-yellow-1.1.tar.bz2
2080453    4 -rw-------   1 moin     moin         2888 Nov 19 07:35 ./RichardRuhland(2f)Project/attachments/nuvola-yellow-1.3.tar.bz2
2060436    4 -rw-------   1 moin     moin         2310 Dec 17 13:32 ./JhbuildDependencies(2f)MandrivaLinux/attachments/gnome218-jhbuildrc.py
2158741   12 -rw-------   1 moin     moin         9553 Nov 25 07:47 ./LarsClausen/attachments/2630867.jpg
2143447   20 -rw-------   1 moin     moin        19496 Oct 27 16:06 ./Tomboy(2f)NoteSharing(2f)ZeroConf/attachments/SharePrefsMockup.png
2143449   68 -rw-------   1 moin     moin        64503 Oct 27 16:10 ./Tomboy(2f)NoteSharing(2f)ZeroConf/attachments/MdnsRecordDiagram.png
2143458   28 -rw-------   1 moin     moin        26608 Oct 27 16:07 ./Tomboy(2f)NoteSharing(2f)ZeroConf/attachments/ShareBrowseMockup.png
2158666    4 -rw-------   1 moin     moin         3815 Nov 21 13:15 ./GnomeArt(2f)Tutorials(2f)GtkThemes(2f)GtkTreeView/attachments/screenshot.png
2062992   60 -rw-------   1 moin     moin        56302 Nov 19 14:16 ./BuildBrigade/attachments/content.xml
2062004    4 -rw-------   1 moin     moin           47 Nov 19 14:16 ./BuildBrigade/attachments/mimetype
2061952   20 -rw-------   1 moin     moin        17151 Nov 20 12:42 ./BuildBrigade/attachments/bb-meeting-nov-20-06.txt
2062989    4 -rw-------   1 moin     moin         1286 Nov 19 14:16 ./BuildBrigade/attachments/meta.xml
2062990   12 -rw-------   1 moin     moin        10436 Nov 19 14:16 ./BuildBrigade/attachments/settings.xml
2062991   96 -rw-------   1 moin     moin        91003 Nov 19 14:16 ./BuildBrigade/attachments/styles.xml
2158470  284 -rw-------   1 moin     moin       286522 Nov 17 16:44 ./LSR(2f)ScratchPad(2f)Magnifier/attachments/Screenshot.png
2144952   12 -rw-------   1 moin     moin         8329 Nov 14 08:59 ./Gedit(2f)Plugins(2f)Reindent/attachments/reindent.py
2144953    4 -rw-------   1 moin     moin          280 Nov 14 09:00 ./Gedit(2f)Plugins(2f)Reindent/attachments/reindent.gedit-plugin
2144928   12 -rw-------   1 moin     moin        11497 Nov 13 10:44 ./JhbuildDependencies(2f)Gentoo/attachments/gentoo-gnome-2.13.2-jhbuildrc.txt
2144374  316 -rw-------   1 moin     moin       316681 Nov  5 07:23 ./RealMarketing/attachments/market_segmentation.pdf

I've changed the perms on these to 644, same as the rest so that should have fixed the problem. I have no idea why they were being created with the wrong perms in the first place.

Comment 5 Thilo 2006-12-18 00:11:54 UTC

Also Apache needs a rule to be allowed to read this attachment directory maybe?

Comment 6 Ross Golder 2006-12-18 00:14:08 UTC

It has also been creating some containing directories with the wrong perms.

[root@label attachments]# find . -perm 770 -ls
1979777    4 drwxrwx---   3 moin     moin         4096 Dec 17 12:31 ./GnomeMarketing
1996351    4 drwxrwx---   2 moin     moin         4096 Dec 17 12:31 ./GnomeMarketing/attachments
2162069    4 drwxrwx---   3 moin     moin         4096 Dec 17 13:35 ./GnomeEventsBox
2162070    4 drwxrwx---   2 moin     moin         4096 Dec 17 13:35 ./GnomeEventsBox/attachments
2162093    4 drwxrwx---   3 moin     moin         4096 Dec 17 14:37 ./GnomeEventsBox(2f)NAGnomeEventBox
2162097    4 drwxrwx---   2 moin     moin         4096 Dec 17 14:37 ./GnomeEventsBox(2f)NAGnomeEventBox/attachments

I changed these to 775.

Comment 7 Thilo 2006-12-20 21:26:15 UTC

This is a problem from the server. This is still true for new sites. I also can not move attachments form old pages:
http://live.gnome.org/MarketingTeam/MarketSegmentation?action=AttachFile

Please reopen.

Comment 8 Luis Menina 2007-02-19 20:07:07 UTC

Still valid. And kinda boring :-/

Comment 9 Thilo 2007-05-17 10:06:42 UTC

Yeah still not working, see here:
http://live.gnome.org/GconfTools?action=AttachFile

Comment 10 Thilo 2007-12-07 19:00:15 UTC

I confirm that the above link is now working. Close this bug?

Comment 11 Thilo 2008-02-06 04:06:31 UTC

Just to get this fix, please look at this again:

http://live.gnome.org/action/AttachFile/GconfTools?action=AttachFile

display and load display the url for me. can somebody check whats wrong now? Is the file still there?

Also I have made some tests on my wiki page:
http://live.gnome.org/action/AttachFile/ThiloPfennig?action=AttachFile

I found that I cant remove attachments on my own page. But I could remove files of other people like on GconfTools. This should be targeted by some ACLs. One problem is that generally on Moin you can remove an attachment via a wiki page which you cant get back simply (its then still there but not attached to a page). So one option would be to only give a group of trusted users the ability to remove. I am not 100% sure that the "delete" right is bind to attachments also but I strongly believe thats the case.

Comment 12 Thilo 2008-06-19 22:42:25 UTC

Still valid

Comment 13 GNOME Infrastructure Team 2018-09-24 10:05:32 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/Infrastructure/Websites/issues/7.