From c571d5bc8d0552708f24406b09f59f11d6993802 Mon Sep 17 00:00:00 2001
From: Julian Seidenberg <julian@silverstripe.com>
Date: Tue, 7 Aug 2012 11:02:57 +1200
Subject: [PATCH] ENHANCEMENT: protecting the "dms-assets" folder from web
 access

---
 code/DMS.php         | 13 ++++++++++---
 resources/.htaccess  |  3 +++
 resources/web.config |  6 ++++++
 3 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 resources/.htaccess
 create mode 100644 resources/web.config

diff --git a/code/DMS.php b/code/DMS.php
index 7988185..d6d0497 100644
--- a/code/DMS.php
+++ b/code/DMS.php
@@ -6,7 +6,6 @@ class DMS implements DMSInterface {
 	//How many documents to store in a single folder. The square of this number is the maximum number of documents.
 	//The number should be a multiple of 10
 	static $dmsFolderSize = 1000;
-	static $dmsPath;    //DMS path set on creation
 	static $modelClass = 'DMSDocument';
 	
 	static function set_model_class($className){
@@ -20,10 +19,18 @@ class DMS implements DMSInterface {
 	 * @return DMSInterface An instance of the Document Management System
 	 */
 	static function getDMSInstance() {
-		self::$dmsPath = BASE_PATH . DIRECTORY_SEPARATOR . self::$dmsFolder;
+		$dmsPath = self::get_DMS_path();
 
 		$dms = new DMS();
-		self::createStorageFolder(self::get_DMS_path());
+		if (!is_dir($dmsPath)) {
+			self::createStorageFolder($dmsPath);
+		}
+
+		if (!file_exists($dmsPath . DIRECTORY_SEPARATOR . '.htaccess')) {
+			//restrict access to the storage folder
+			copy(BASE_PATH . DIRECTORY_SEPARATOR . 'dms' . DIRECTORY_SEPARATOR . 'resources' . DIRECTORY_SEPARATOR . '.htaccess',  $dmsPath . DIRECTORY_SEPARATOR . '.htaccess');
+			copy(BASE_PATH . DIRECTORY_SEPARATOR . 'dms' . DIRECTORY_SEPARATOR . 'resources' . DIRECTORY_SEPARATOR . 'web.config', $dmsPath . DIRECTORY_SEPARATOR . 'web.config');
+		}
 		return $dms;
 	}
 
diff --git a/resources/.htaccess b/resources/.htaccess
new file mode 100644
index 0000000..d28dde5
--- /dev/null
+++ b/resources/.htaccess
@@ -0,0 +1,3 @@
+<Files *>
+    Deny From All
+</Files>
\ No newline at end of file
diff --git a/resources/web.config b/resources/web.config
new file mode 100644
index 0000000..4fcb866
--- /dev/null
+++ b/resources/web.config
@@ -0,0 +1,6 @@
+<system.web>
+	<authorization>
+		<allow users="username">
+		<deny users="*"/>
+	</authorization>
+</system.web>
\ No newline at end of file