Nik TANG

Send private message

You must be logged in to send a private message.

Friends

No friends yet.

Group membership

Activity

  • Nik TANG replied on the discussion topic able to move the elgg files outside the public folder
    @cash Yeah, leaving only those public-accessible files in the public folder is just one of hundreds of web security measurements. It can prevent potential direct access of elgg files which are not intented to be directly accessed, and easier to... view reply
  • Nik TANG added a new discussion topic able to move the elgg files outside the public folder in the group Feedback and Planning
    Currently all files required by elgg are stored under one root folder (e.g. public/elgg, where "public" is a www root folder for apache.) This is not secure. A better solution is to move all the files to a non-public folder, only the index.php and...
    • If the web server can write to the public web directory - regardless of whether you have one file there or a thousand, then there is a security hole. Moving most of the files out does not change this fact. It only means you have fewer file/directory permissions to keep track of.

      The reality right now is that Elgg has 2 user classes:

      1. people who want to download Elgg, ftp to their server, and run (ala Wordpress)
      2. developers used to frameworks who would know how to configure an application laid out as you described

      The best solution is one that provides the flexibility to support both classes of users.

    • @cash

      Yeah, leaving only those public-accessible files in the public folder is just one of hundreds of web security measurements. It can prevent potential direct access of elgg files which are not intented to be directly accessed, and easier to maintain the permissions as you mentioned (any upgrade of Elgg may bring new files that requires a check to file permissions carefully).

       

      To fit the two user classes, I think a default value for PATH_ELGG will do the trick. e.g.: add this to index.php:

      define('PATH_ELGG', dirname(__FILE__));

      for user class 1, this is totally transparent to them.

      for user class 2, they can change dirname() to whatever they want.

  • Nik TANG joined the group Feedback and Planning