From b8f13a12a813aa81479243e6a567b52e0a6bb3f7 Mon Sep 17 00:00:00 2001
From: Ross Poulton <ross@rossp.org>
Date: Wed, 15 Jul 2009 22:58:57 +0000
Subject: [PATCH] Issue #76: Disable directory listings for attachments.

---
 README | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/README b/README
index b8385398..b374d338 100644
--- a/README
+++ b/README
@@ -114,11 +114,25 @@ the current version of Jutda Helpdesk working.
      (substitute www-data for the user / group that your web server runs
       as, eg 'apache' or 'httpd')
 
-    If all else fails ensure all users can write to it:
+   If all else fails ensure all users can write to it:
 
     chmod 777 attachments/
 
-    This is NOT recommended, especially if you're on a shared server.
+   This is NOT recommended, especially if you're on a shared server.
+
+8. Ensure that your 'attachments' folder has directory listings turned off, 
+   to ensure users don't download files that they are not specifically linked 
+   to from their tickets.
+
+   If you are using Apache, put a .htaccess file in the 'attachments' folder 
+   with the following content:
+
+    Options -Indexes
+
+   You will also have to make sure that .htaccess files aren't being ignored.
+
+   Ideally, accessing http://MEDIA_URL/helpdesk/attachments/ will give you a 
+   403 access denied error.
 
 #########################
 5. Initial Configuration