Elgg data directory

Why it says elgg data directory should be place outside the elgg application folder ? What are the security issue arises if we didn't do in such a way ?

  • The elgg application folder is publicly accessible - you don't want the data directory to be acecssible to anybody.  The data directory is where uploaded files etc will actually reside.  It can potentially be put in the application folder and access controlled with .htaccess and/or permissions - but if it's outside of a publicly accessible folder there's no chance of accidental breach of security that way.

  • Hi Matt ..

    Thanks for your feedback, but my question is, it is still accesible if we put the data directory outside the application folder as follows

    datadir/ - data directory

    elggdir/ - application directory

    we have linux hosting and we put our elggdir in public_html as public_html/elggdir and we put datadir  in public_html as public_html/datadir , then both these folders are accesible through the domain ?

  • In that case your datadir will be publically accesible. Move it one more level above (the same level as public_html) and it wont be available for the public then.

  • Thanks,

    1. Why can't we give acess to the data directory?If a profile image is displaying in elgg, i think it is acessed from data dir, then in HTML coding it can easily trace out the location of data dir?

    2. I think it is need to be protect the app directory, it is a better idea not give acess to any  of the files in application directory.

     

  • 1. Why can't we give acess to the data directory?If a profile image is displaying in elgg, i think it is acessed from data dir, then in HTML coding it can easily trace out the location of data dir?

    The access to files saved in the data directory is handled by the Elgg engine to only present files to people who have the rights (e.g. logged in users, friends or nobodyy exept the member who uploaded the file). Of course the webserver needs to be able to write and read the files saved in the data directory but nobody else should have direct access to them. Therefore, the data directory should be outside the document root folder (e.g, the public_html folder). If you simply create the directory to be used as Elgg data directory outside public_html - in your webspace home directory - everything will work well and nobody will be able to access the files directly (in the worst case even delete them) but only via your Elgg site as served by the Elgg engine.

    2. I think it is need to be protect the app directory, it is a better idea not give acess to any  of the files in application directory.

    The Elgg installation directory does not need any write access by the webserver (more precisely wite access is only needed during installation to create .htaccess and settings.php). For security only read access should be configured for the files and directories of the Elgg root directory and its subdirectory. For the data directory though write access is necessary as it wouldn't be possible to upload any files otherwise. Therefore, it's safest to create the data directory outside the public_html folder as only the webserver will be able to save / read / delete files controlled by Elgg into it and not any people who visit your server. Members of your site still can access the files ON your site if they have the proper rights but they can not directly access the files.

    So, simply do as suggested and create the data directory in your webspace home directory outside public_html.

  • Thanks for your kind advice,

    I have some more question to ask ,

    But again the data directory can accessed by the server admin by linux commands ?

    can we create sepreate folders for each user for keeping their images and other data?I think then we can retrive results faster ?

    More over keeping the previous visited details of client(ip, location, lat, log) in a php file in the same folder of that user in data directory is a good idea ? write acess is only a problematic situation to the php file, but for that now we are before public_html in (datadir).

  • Of course, you can access your data directory when you are logged in to the server for example via ssh by linux commands.

    The structure of the data directory will already have separate subdirectories for each user. The structure that will be created as soon as a user uploads any files is

    data_dir/<year>/<month>/<day of month>/<user GUID>/

    Year, month and day of month depend on when a user has joined your site and the user GUID is a unique identifier for each user. Within this directory the uploaded files can be ordered within more subdirectories, e.g. images, profile, files etc. These additional directories depend on the Elgg plugins used for uploading the content. But all these directories are created automatically. You won't need to create them on your own. You only need to create the base data directory and provide the full path to it during installing Elgg.

    Info about the user like ip address, location are not saved in the data directory. By default Elgg won't be able to retrieve / save this info anyway. For finding out the ip address used by a user when visiting you can add this plugin: http://community.elgg.org/plugins/446342/1.8.1/ip-address-tracker-plugin. It will save the last ip address used by a member in the Elgg database and you can check out this info on your site. The geo location of this ip address is not saved. But you can check out additional info about the ip address with an external service or provide a link in the plugin settings to an external site of your choice to get more info about the ip address.

    Using this plugin: http://community.elgg.org/plugins/874298/1.8.4/elgg-18-lastlogin you will also be able to get info about the last login and date of join of a user displayed on the profile pages (if you want it only to be visible for admins you can configure it this way). The date of join (including the user GUID) will also help you to find the user's subdirectory in the data directory quite easily.

  • iionly thanks for your message.

    I think the data directory for an user is created only when he/she upload his avatar ? Is there any way to create the data directory of user automatically when the account is validated by admin or the user himself ?

    I think that facility is nice then we can store some more details in a php file in the data directory of that particular user.

    It degrades or upgrades the quality of core?

     

  • The data directory is meant to save data and not to save scripts or excecute scripts from. I don't think there's any need to save php files in the data directory. Instead write a regular Elgg plugin. Any data / values that correspond to a user should then be saved as metadata associated with this user object in the database.

  • Thanks, Normelly i write a plugin, if any additional module required.

    But in this case it is to store a temporary value for a user, for storing this temporary value, why we need to create a new field or new table, It increases the time of proceesing the result and access data base more.?

    Can we create the data directory for a user while the account is get validated.

    Additionally how can i publish a plugin that iam already written, Is all plugins are free to upload and download ?