PKP Bugzilla – Bug 5994
Remove all executable pages/controllers from pkp/lib.
Last modified: 2013-03-25 12:02:59 PDT
We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.
As an additional security measure executable pages should only be in the applications so that there is no danger at all that they could be used from applications that don't implement them (e.g. from the Harvester). We can make sure that pages cannot be executed from lib/pkp by adapting the router to no longer search for pages in the library and introduce simple wrapper classes in the applications' page directory.
On further thought, I'm content to allow controllers to be invoked directly in lib-pkp. Currently controllers that are "incomplete" (i.e. potentially dangerous, e.g. with unimplemented authorize() functions) live in classes/controllers, where they cannot be invoked directly; it's fair to assume that anything in lib/pkp/controllers should be considered safe to execute.