data folder in web directory

Hi,

it is recommanded that elgg data folder should not be in a web-accessible directory (eg. /data/ when scripts are in /www/ )

I usually respect that, but sometimes the host doesn't allow any FTP access out of web directory, therefore forcing to put the data/ directory inside the main directory (ie. at the same level than engine/, mod/, etc.).

It's not good, but it should be ok with an htaccess file denying access to anyone.

I had to use that trick several times in 1.5 then 1.7 elgg versions, without any problem
, but only in subdirectories. I tried it today with elgg 1.8.1, but this didn't seem to work as expected <=> writing in that directory seems denied, though the folder permissions are more than what is usually needed (775 instead of 644+X).

 

So i wondered if there is any hardcoded piece of script in elgg core that forbids using a "data" folder at the same level as the core folders, or if it is only a (good) recommandation that we could skip when there is no other solution ?

Thanks !

  • The installer checks this, but I don't think there is anything else in Elgg that checks this.

    By the way, if you put an .htaccess file in your data directory that denies direct access, a user can upload a .htaccess file to their data directory and override that. That's the way that .htaccess files work. You would need to prevent the uploading of .htaccess files and/or set Apache so that AllowOverride is turned off for the data directory.