A question for plugins developers. I am working on an API that will allow us to serve any asset from filestore (inline or as attachment). It is currently a plugin, but once I have received enough feedback, I will be making a PR to core. https://github.com/hypeJunction/Elgg-proxy
The new API will have a single handler, so plugins will no longer need to implement handlers a-la icondirect.php. The URL of the handler will include the path to the file relative to dataroot, so this will ultimately expose the directory structure on filestore. Does anyone use sensitive user/identifying information as directory names on filestore? Any opposition to using such approach?
The URL will be something like:
e = expiration time (0 for no expiration)
l = last modified time
d = disposition (inline or attachment)
HMAC signature of the request
path to file on filestore
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
Ura, this design document (for issue #4712) mentions how Drupal manages files somewhat. Basically track them in the DB and regularly sweep them up if unused. It may not be any more hacky than what would land in core, but it'd be great to have a sanctioned solution available or even a core recommendation of how to implement it.
oh ok - i just clicked the link to that document, steve - but i need to be given permission to view it.
I'm in favor of IK's implementation here
- Previous
- 1
- 2
- Next
You must log in to post replies.