|
Attachments
|
Persons who do not have access to read an event, will not have access to download that event's attachments. Even if accessing the attachment download script directly. If they try to download an attachment which they do not have permissions to view, they will be prompted to log in to Thyme.
However, the possibility exists, that someone may attempt to download an attachment directly from your webserver. For this reason, Thyme, by default, encrypts filenames in your attachments directory and uses a .dat extension. This makes it more difficult for persons to access the attachment file. Assuming you do not have any CGI program associated with .dat files, this also disallowes persons from uploading a malicious script (CGI, ASP, PHP, etc) and executing it on your web server.
If at all possible, you should move your attachments directory outside of your web server's document root. If this is not possible in your configuration, it is highly recommend that you deny all web access to your attachments directory from in web server's configuration. Consult your web server's manual for more information.
Note that Thyme places a .htaccess file in the default attachments directory which denies all web access to that directory. .htaccess files are only recognized by Apache.
|
