UserGuide: How to use PROTECTED_READ

If you want to keep your pages (content) private, you can use config option $PROTECTED_READ. If you use Apache server and have enabled .htaccess files, you don't need to read on, it will be secure without any modifications.

How does it work(Edit)

Very simply. LionWiki just denies every access to the pages unless user entered password. However, because LionWiki doesn't use database and it stores all the pages in plain text files, one can access pages without invoking LionWiki (e.g. you can insert something like this in browser: [].

How to solve this security hole?


Apache + .htaccess(Edit)

In default distributions, directories pages, history and plugins/data contains .htaccess with following content:

deny from all

This causes that every browser request to any file, directory or files in directories (and so on) are denied. This works for every Apache installation with .htaccess support enabled (absolute majority of sites I guess). As far as I know, Microsoft IIS has some support for .htaccess too, but I don't have any installation to test this.


Try to load this in your web browser: http://url_to_your_new_wiki/var/pages/Main+page.txt

If "Forbidden" page is displayed then .htaccess works fine and content is secure. If page is displayed, htaccess does not work and you have to find some other way to make it secure.

Renaming pages and history dirs to something unpredictable(Edit)

If you just rename these directories to something like "history%$*&()4564" then attacker won't be able to guess right path to the pages and history dir and therefore your data will be secure. This is not as secure as two options mentioned above, but it's quite easy.

Of course, you must change $PAGES_DIR and $HISTORY_DIR in your config file to the right values.

Other ways(Edit)

There are other ways to fix this problem (e.g. with right file permissions) but I'm too tired to describe them all.