PKP Bugzilla – Bug 1452
Remove public files directory
Last modified: 2014-07-08 14:08:14 PDT
For 2.0, consider moving the public files directory under the primary
(non-web-accessible) files directory, with files accessed via script (with no
ACL checks, i.e. the files are still "public")
Deferring for consideration to 2.1.
Advantages of this move:
- All writeable files are within the same directory structure, and cannot be
- Public files can be manipulated from the Files Browser
- Possible difficulties in determining mimetype ("mime_content_type" is not
always available, so need a portable fallback)
- Less friendly URLs (irrelevant?)
- Some additional overhead in accessing these files (may be negligible?)
We've had a few other recent requests for different handling of the public/ dir -- specifically so that it is also accessible via the Files Browser. I think it makes sense to reschedule this bug for an upcoming release.
I hadn't planned on making a PR of this, but we have a feature branch which adds the journal's (but not user's) public files to the Files Browser. FYI.
Clinton, I'm currently considering the public files directory to be a radioactive concept. If a malicious user gets hold of JM credentials, it means they can upload PHP scripts and execute them remotely.