tafka Server unable to read htaccess file
This was the original problem. .htaccess files need to be readable by the webserver. This is true for all other DokuWiki files. The webserver needs to at least be able to read them.
If that's possible depends on
- what user and group does webserver run as?
- what user and group owns the files?
- what are the file permissons on the file?
- on some sytems SELinux and FACLs may play a role
All of this has nothing to do with the user of your wiki. Do not try to use unix permissions to manage access for your users. This does not work.
Sidenote: Stuff like this can work different on Windows System with IIS involved. It's total bullshit and PITA, but we're talking Unix/Linux here).
The first thing you should do is fix your permission setup. Figure out the three things above. Adjust permission on the file system and in the dmode fmode settings accordingly. Read https://www.dokuwiki.org/install:permissions#unix for more info. Keep in mind that if you are accessing the server by FTP, your FTP user might differ from the web server user.
tafka Well reading from here: https://www.dokuwiki.org/security#plugin_security
Plugins are installed under the DokuWiki lib directory, which is directly accessible from the outside. Review what a plugin contains and lock down access with .htaccess files as appropriate.
Welp. It seems I have to add a .htaccess file?
All files within the lib directory are meant to be publicly accessible from the web. Plugins need to do their own permission checks. .htaccess files should really not be needed for any plugin. I'll see to adjust this line as it is somewhat misleading.
This brings us to the statistics plugin. From a very quick glance, it seems you are right. The img.php graph writer seems to miss a check if the request is made by an authenticated user. You might want to report this as a bug in it's issue tracker.