--- /dev/null
+[[!meta robots="noindex, follow"]]
+[[!if test="enabled(attachment)"
+ then="This wiki has attachments **enabled**."
+ else="This wiki has attachments **disabled**."]]
+
+If attachments are enabled, the wiki admin can control what types of
+attachments will be accepted, by entering a [[ikiwiki/PageSpec]] in the
+"Allowed Attachments" field of their preferences page.
+
+For example, to limit arbitrary files to 50 kilobytes, but allow
+larger mp3 files to be uploaded by joey, a something like this could be
+used:
+
+ (user(joey) and *.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or (!ispage() and maxsize(50kb))
+
+The regular [[ikiwiki/PageSpec]] syntax is expanded with thw following
+additional tests:
+
+* maxsize(size)
+
+ Tests whether the attachment is no larger than the specified size.
+ The size defaults to being in bytes, but "kb", "mb", "gb" etc can be
+ used to specify the units.
+
+* minsize(size)
+
+ Tests whether the attachment is no smaller than the specified size.
+
+* ispage()
+
+ Tests whether the attachment will be treated by ikiwiki as a wiki page.
+ (Ie, if it has an extension of ".mdwn", or of any other enabled page
+ format).
+
+ So, if you don't want to allow wiki pages to be uploaded as attachments,
+ use `!ispage()` ; if you only want to allow wiki pages to be uploaded
+ as attachments, use `ispage()`.
+
+* user(username)
+
+ Tests whether the attachment is being uploaded by a user with the
+ specified username. If openid is enabled, an openid can also be put here.
+
+* ip(address)
+
+ Tests whether the attacment is being uploaded from the specified IP
+ address.
+
+* mimetype(foo/bar)
+
+ This checks the MIME type of the attachment. You can include a glob
+ in the type, for example `mimetype(image/*)`.
contains html as a web page; including running any malicious javascript
embedded in that page.
-To provide a way to combat these abuses, the wiki admin can specify a
-[[ikiwiki/PageSpec]] on their preferences page, to control what types of
-attachments can be uploaded, and by whom. The regular [[ikiwiki/PageSpec]]
-syntax is expanded with additional tests.
+If you enable this plugin, be sure to lock that down, by entering a
+[[special_PageSpec|ikiwiki/pagespec/attachment]] in the "Allowed
+Attachments" field of the wiki admin's preferences page.
-For example, to limit arbitrary files to 50 kilobytes, but allow
-larger mp3 files to be uploaded by joey, a test like this could be
-used:
-
- (user(joey) and *.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or (!ispage() and maxsize(50kb))
-
-The following additional tests are available:
-
-* maxsize(size)
-
- Tests whether the attachment is no larger than the specified size.
- The size defaults to being in bytes, but "kb", "mb", "gb" etc can be
- used to specify the units.
-
-* minsize(size)
-
- Tests whether the attachment is no smaller than the specified size.
-
-* ispage()
-
- Tests whether the attachment will be treated by ikiwiki as a wiki page.
- (Ie, if it has an extension of ".mdwn", or of any other enabled page
- format).
-
- So, if you don't want to allow wiki pages to be uploaded as attachments,
- use `!ispage()` ; if you only want to allow wiki pages to be uploaded
- as attachments, use `ispage()`.
-
-* user(username)
-
- Tests whether the attachment is being uploaded by a user with the
- specified username. If openid is enabled, an openid can also be put here.
-
-* ip(address)
-
- Tests whether the attacment is being uploaded from the specified IP
- address.
-
-* mimetype(foo/bar)
-
- If the [[cpan File::MimeInfo::Magic]] perl module is installed, this
- allows checking the mime type of the attachment. You can include a glob
- in the type, for example `mimetype(image/*)`.
+This plugin will use the [[cpan File::MimeInfo::Magic]] perl module, if
+available, for mimetype checking.