Require users to login to view attachments on private sites

Thank you jeff-themovie for this implementation!

1 files changed, 15 insertions, 5 deletions

diff --git a/README b/README
index 6e39890cb..c26fe786e 100644
--- a/README
+++ b/README
@@ -710,11 +710,21 @@ private site, but users of the private site may be able to subscribe
 to users on a remote site. (Or not... it's not well tested.) The
 "proper behaviour" hasn't been defined here, so handle with care.
 
-If fancy URLs is enabled, access to file attachments can also be
-restricted to logged-in users only. Uncomment the appropriate rewrite
-rule in .htaccess or your server's httpd.conf. (This most likely will
-not work if you are using a virtual server for attachments, so consider
-the performance/security tradeoff.)
+Access to file attachments can also be restricted to logged-in users only.
+1. Add a directory outside the web root where your file uploads will be
+   stored. Usually a command like this will work:
+
+           mkdir /var/www/mublog-files
+
+2. Make the file uploads directory writeable by the web server. An
+   insecure way to do this is:
+
+           chmod a+x /var/www/mublog-files
+
+3. Tell StatusNet to use this directory for file uploads. Add a line
+   like this to your config.php:
+
+           $config['attachments']['dir'] = '/var/www/mublog-files';
 
 Upgrading
 =========