We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.

Bug 1452 - Remove public files directory
Remove public files directory
Status: NEW
Product: OJS
Classification: Unclassified
Component: Framework
All All
: P2 normal
Assigned To: PKP Support
Depends on:
Blocks: 6058
  Show dependency treegraph
Reported: 2005-04-29 13:13 PDT by Kevin Jamieson
Modified: 2015-03-24 15:33 PDT (History)
4 users (show)

See Also:
Version Reported In:
Also Affects:


Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Jamieson 2005-04-29 13:13:38 PDT
For 2.0, consider moving the public files directory under the primary
(non-web-accessible) files directory, with files accessed via script (with no
ACL checks, i.e. the files are still "public")
Comment 1 Kevin Jamieson 2005-04-29 17:15:19 PDT
Deferring for consideration to 2.1.

Advantages of this move:
- All writeable files are within the same directory structure, and cannot be
directly accessed
- Public files can be manipulated from the Files Browser

- Possible difficulties in determining mimetype ("mime_content_type" is not
always available, so need a portable fallback)
- Less friendly URLs (irrelevant?)
- Some additional overhead in accessing these files (may be negligible?)
Comment 2 Alec Smecher 2006-01-08 10:01:37 PST
Comment 3 Alec Smecher 2009-05-21 09:20:41 PDT
Deferring again.
Comment 4 James MacGregor 2011-02-15 12:06:34 PST
We've had a few other recent requests for different handling of the public/ dir -- specifically so that it is also accessible via the Files Browser. I think it makes sense to reschedule this bug for an upcoming release.
Comment 5 Clinton Graham 2014-07-08 13:29:55 PDT
I hadn't planned on making a PR of this, but we have a feature branch which adds the journal's (but not user's) public files to the Files Browser.  FYI.

Comment 6 Alec Smecher 2014-07-08 14:08:14 PDT
Clinton, I'm currently considering the public files directory to be a radioactive concept. If a malicious user gets hold of JM credentials, it means they can upload PHP scripts and execute them remotely.