Hi everyone,

we've discussed this in JSST a while ago but since this a change impacting extensions quite a bit this deserves a discussion on this list as well.

Since Joomla 1.6 (or earlier? I'm not too sure) there have been efforts to limit all client accessible files to the media directory. The patch would disallow access to certain folders that should absolutely contain nothing that should be server to the client or accessed by it. This is a sort of minimum set to not cause too many problems. Personally I'm for disallowing access to more folders but I can see that many extensions still have their assets in the same folder as their code. We could however announce that access to other folders will disappear in the future.

The second change is that it disallows directory listings. Eventually that will hopefully allow us to get rid of those damn index.html files, if not it's still a win for those that have extensions that come without index.html files.

Patch: https://github.com/realityking/joomla-cms/compare/htaccess

Your thoughts?

Best regards
Rouven

smime.p7s 6K Download

+1

Prepping the system and developers for the eventual time when the only
thing in the docroot will be the media/assets folder, .htaccess file, and
the index.php (with all code files before the root) is a good thing. I
don't see this breaking anything.

What about those people operating on IIS or other web servers that do not
support htaccess

how do i remove a margin from my home page.

From: joomla-dev-cms@googlegroups.com [mailto:joomla-dev-cms@googlegroups.com] On Behalf Of Donald Gilbert
Sent: 05 September 2012 07:13 AM
To: joomla-dev-cms@googlegroups.com
Subject: [jcms] Re: Blocking access to some folders in Joomla 3.0

+1

Prepping the system and developers for the eventual time when the only thing in the docroot will be the media/assets folder, .htaccess file, and the index.php (with all code files before the root) is a good thing. I don't see this breaking anything.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/cLG0QfpQQOIJ.
To post to this group, send an email to joomla-dev-cms@googlegroups.com<mailto:joomla-dev-cms@googlegroups.com>.
To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com<mailto:joomla-dev-cms+unsubscri be@googlegroups.com>.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

I agree to restrict the access to folders and to move extension assets
to a common folder. However I have problem with the naming as media. I
really miss a Media-folder to store extension restricted Media e.g
uploaded images/video/pdf .... Why not a new folder? Some extensions
store Media in the media folder. I believe assets and media should be
kept apart.

folder assets -> store extensions icons, js, css .... (hopefully less
used with bootstrap)
folder media -> store extensions media, generally not public
folder images -> store public media, e.g available through  the editors.

This means that the installer beside the media folder has to handle the
assets folder. The handling of the media folder can probably not be
removed to be backword compatible.

Regards
Ove

Rouven We�ling skrev 04.09.2012 13:58:

On 05.09.2012, at 16:46, Ove <tobby.eriks...@gmail.com> wrote:

A folder for that use would be great but I wouldn't change the meaning of the existing media folder - too much depends on it.

On 05.09.2012, at 08:57, brian teeman <jooml...@googlemail.com> wrote:

I don't know enough about the IIS configuration file to do it myself - actually I don't even know if that level of control exists. Since this doesn't limit the functionality of Joomla - just one precaution missing - I don't think it's a deal breaker.

As for other web servers, AFAIK we only support IIS and Apache. With other server SEF URLs probably don't even work.

Best regards
Rouven

smime.p7s 6K Download

I thought you would say that. Yes it's probably to risky. But I really
need a Media folder to hook component media to. As is I by default store
them in the component folder even if it's not any preferred solution.
The user can change it in the configuration to images/xyz if he e.g. has
a single admin/editor or to any other folder. Also beeing a problem.
Using the current media folder for it, is no nice alternative since it's
about uploads also from frontend users. I could create an own folder in
the root. Good solution? No, don't think so

I suggest that Joomla with the installation adds a new mediafolder. A
future media manager could also support this path. As I'm not native
english I don't have any nice name suggestion .

Without this folder I probably get a problem with restricted access to
the components folder or a mess in other paths.

Regards
Ove

Rouven We ling skrev 05.09.2012 17:44:

On 05.09.2012, at 19:48, Ove <tobby.eriks...@gmail.com> wrote:

Just to clarify, the proposed patch aims for minimal problems and doesn't include the components, modules or plugins folder. Sometime in the future it should be expanded, but I think we need to give devs enough time to get adjust for this. (Yes in theory they had since 1.6 but how many are even aware of this?)

Best regards
Rouven

smime.p7s 6K Download

I think that the patch is ok.

Current media folder or working extensions aren't broken.

This will not free us from index.html files as this doesn't work on IIS.

El martes, 4 de septiembre de 2012 13:58:46 UTC+2, Rouven Weßling escribió:

support htaccess
As one that used nginx I've written htaccess alternative for nginx:
http://docs.joomla.org./nginx
We can just update I can assume that others will update other servers also.

On Wed, Sep 5, 2012 at 9:57 AM, brian teeman <jooml...@googlemail.com>wrote: