ENHANCEMENT: protecting the "dms-assets" folder from web access

2024-10-22 14:05:56 +02:00 · 2012-08-07 11:02:57 +12:00 · 2012-08-07 11:02:57 +12:00 · c571d5bc8d
commit c571d5bc8d
parent c44434d498
3 changed files with 19 additions and 3 deletions
--- a/code/DMS.php
+++ b/code/DMS.php
@ -6,7 +6,6 @@ class DMS implements DMSInterface {
 	//How many documents to store in a single folder. The square of this number is the maximum number of documents.
 	//The number should be a multiple of 10
 	static $dmsFolderSize = 1000;
-	static $dmsPath;    //DMS path set on creation
 	static $modelClass = 'DMSDocument';
 	
 	static function set_model_class($className){
@ -20,10 +19,18 @@ class DMS implements DMSInterface {
 	 * @return DMSInterface An instance of the Document Management System
 	 */
 	static function getDMSInstance() {
-		self::$dmsPath = BASE_PATH . DIRECTORY_SEPARATOR . self::$dmsFolder;
+		$dmsPath = self::get_DMS_path();

 		$dms = new DMS();
-		self::createStorageFolder(self::get_DMS_path());
+		if (!is_dir($dmsPath)) {
+			self::createStorageFolder($dmsPath);
+		}
+
+		if (!file_exists($dmsPath . DIRECTORY_SEPARATOR . '.htaccess')) {
+			//restrict access to the storage folder
+			copy(BASE_PATH . DIRECTORY_SEPARATOR . 'dms' . DIRECTORY_SEPARATOR . 'resources' . DIRECTORY_SEPARATOR . '.htaccess',  $dmsPath . DIRECTORY_SEPARATOR . '.htaccess');
+			copy(BASE_PATH . DIRECTORY_SEPARATOR . 'dms' . DIRECTORY_SEPARATOR . 'resources' . DIRECTORY_SEPARATOR . 'web.config', $dmsPath . DIRECTORY_SEPARATOR . 'web.config');
+		}
 		return $dms;
 	}

--- a/resources/.htaccess
+++ b/resources/.htaccess
@ -0,0 +1,3 @@
+<Files *>
+    Deny From All
+</Files>
--- a/resources/web.config
+++ b/resources/web.config
@ -0,0 +1,6 @@
+<system.web>
+	<authorization>
+		<allow users="username">
+		<deny users="*"/>
+	</authorization>
+</system.web>