diff --git a/core/control/ContentController.php b/core/control/ContentController.php index f7a3c0e3b..48bb7376f 100755 --- a/core/control/ContentController.php +++ b/core/control/ContentController.php @@ -29,7 +29,7 @@ class ContentController extends Controller { public static $allowed_actions = array ( 'PageComments', 'successfullyinstalled', - 'deleteinstallfiles' + 'deleteinstallfiles' // secured through custom code ); /** @@ -423,6 +423,7 @@ HTML; $fourohfour->publish("Stage", "Live"); } + // TODO Allow this to work when allow_url_fopen=0 if(isset($_SESSION['StatsID']) && $_SESSION['StatsID']) { $url = 'http://ss2stat.silverstripe.com/Installation/installed?ID=' . $_SESSION['StatsID']; @file_get_contents($url); @@ -443,8 +444,7 @@ HTML;     Email: $username
    Password: $password

-

For security reasons you should now delete the install files, unless you are planning to reinstall later. The web server also now only needs write access to the "assets" folder, you can remove write access from all other folders.

-

Click here to delete the install files.

+

For security reasons you should now delete the install files, unless you are planning to reinstall later (requires admin login, see above). The web server also now only needs write access to the "assets" folder, you can remove write access from all other folders. Click here to delete the install files.

HTML ); @@ -455,14 +455,18 @@ HTML } function deleteinstallfiles() { + if(!Permission::check("ADMIN")) return Security::permissionFailure($this); + $title = new Varchar("Title"); $content = new HTMLText("Content"); $tempcontent = ''; $username = Session::get('username'); $password = Session::get('password'); + // We can't delete index.php as it might be necessary for URL routing without mod_rewrite. + // There's no safe way to detect usage of mod_rewrite across webservers, + // so we have to assume the file is required. $installfiles = array( - 'index.php', 'install.php', 'rewritetest.php', 'config-form.css',