I would like to protect my Uploads folder and place it above the public_html folder. How do I make a reference to it in the path statement in my MyUploads.php for instance?

Thank you for your assistance,

g.

Which module are you using?

wouldn't it be ".//" maybe that only works in shell

it's not as simple as just changing the path, especially if it's a downloading module you are requiring it for. you also need to change how the script fetches the file and sends it to the user.. as a simple URL method will no longer work.

if you are wanting to protect the uploads folder for use with a downloads module, then i would highly recommend wf-downloads 3.1 RC2 available at SmartFactory, not only does it allow you to store the files outside the web root, but it also adds another level of protection by adding a unique key to each uploaded file, the key is then removed and replaced by just the normal submitted filename when a user requests to download it. the path is also hidden from the user.

Thank you for the many replies. And I am learning while I read each one. I hope others may use this information because security and having a relative path makes sense and everyone has a "Uploads" folder if you are using Xoops.

I am using the newbb_fileup module and want to protect both the "uploads" and the "thumb" folders. I re-installed XOOPS so that my URL path would be cleaner and now all my "scr" tags pointing to the "Uploads" folder are pointing incorrectly. The placing the Uploads folder above the "public_html" folder has 2 benefits, you are better protected and the path is always stays relative.

Because "Uploads" is a system wide folder - I would have to modify each mod that uses the "Uploads" folder? This - what would be nice to have, can turn out to be quite a job to do.

Quote:

This sounds great but what about other modules that need to point to the Uploads folder - how do they know where the new location that "wf-downloads has placed it?

Any Ideas for global use?

g.

well, it's not really the location of the folder that's the problem.

the problem as you are probably aware by now is how all the other modules and even the core of XOOPS itself, *gets* the files from the uploads folder & then delivers it to the users browser.

most frequent methods used in XOOPS are to use a url method to point to the particular file whether it's an image file or software download.

it's these methods that would need to be altered as you have mentioned, the url needs to be replaced with an absolute path. it's not so hard to do, but there are many many places and edits needed to the core and other modules etc that may have to be slightly changed to make that happen.

to make it global initially, it would probably be easier to define a global absolute path, either in mainfile.php or by an editable xoopsconfig option in XOOPS preferences.

the editable method would be preferred.

then you would need to edit each script that has references to the uploads folder and change that to utilise the new path.

if done via xoopsconfig, it would be a matter of $xoopsConfig['uploads_path'] in replacement to the url and/or path used by the script. altho i make it sound really simple, it will be a lot of work to do globally for every module and area that fetches files from the uploads folder.. as most methods would use a relative path defined from XOOPS_ROOT_PATH etc, these would need to be replaced with an absolute path.

Hi m0nty,

I think you have summarize this - it will be too much of a hassle. Does using another URL help protect these files? Does not seem so.

So having said all that you have written - I take it that there is really no practical solution in the way XOOPS is set up. To work effeciantly, Xoop's core would have to accommodate a gobal setting and the modules would need to be updated and point the "Mainfile.php" file. All modules would scan that path within "Mainfile.php."

I thought at first this was going to be simpler than I discover all module that use the Uploads foler would also need to be modified as we all agree, what a pain.

Conclusion Leave it like it is?

g.

If your web server is Apache, you can protect the uploads folder without moving it.

I've written some modules that store files in that folder. Each module stores its files in the subdirectory uploads/modules/MODNAME, where MODNAME is the module's directory name. Then I can place an .htaccess file with the following contents in those subdirectories that I want to protect:

Quote:

On sites where memberships are in the thousands, I don't thnk you want to use the htaccess. These are the first files that needs to seached for instruction for each request. If there is one htaccess file, Apache must look in every folder to see if there are others - this slows up performance especailly in shared hosting enviroments. For small sites - I think you have a kind of a solution.

g.

I was looking for exactly the same and heard something about an Alias in Apache but don't know how to implement it.
Would this solve the problem or not?