Sense of XOOPS_TRUST_PATH

Requested and Answered by Mamba on 2008/10/6 2:38:26

Sense of XOOPS_TRUST_PATH

From XOOPS_Tips:

XOOPS_TRUST_PATH was introduced by GIJOE (based on minahito’s idea as GIJOE credited). The idea and/or concept of XOOPS_TRUST_PATH is to secure a Xoops module by moving all of the module’s PHP files out of web root or DOCUMENT_ROOT.

In doing so, modules could not be easily tempered by potential crackers, especially if the module has private files included under the document root.

(Moving MySQL username and password out of mainfile.php or the document root TIP essentially has the same idea.)

The second benefit of using XOOPS_TRUST_PATH is that module duplicating could be streamlined and become manageable, if the module developer has adopted the idea.

Anyone who had attempted to duplicate a Xoops module can attest the difficulties of doing that.

GIJOE has introduced several duplicable modules, though V2/D2 (as GIJOE named) makes duplication easier, they are still not that easy to maintain. Most importantly to some, naming your modules as “/modules/news/” and “/modules/news1/” is not a professional way of naminng modules.

With the introduction of XOOPS_TRUST_PATH and duplicable modules – or Duplicable V3/D3, you are free to name the module to whatever name you wish. You could have many instances of the same module with each own template files and MySQL table files, and all run securely from a single module outside of the web root directory. Template files will be installed with the module name appended so that you can customize them to differentiate one duplicated from another (see caution).

Of course, the module must be developed and written utilizing XOOPS_TRUST_PATH. So far there are not many modules that take advantage of the idea, a handful of Japanese developer is releasing modules based on D3. Hopefully, we will see more and more module developers adopt D3.

Bulletin (a much improved and versatile news module) developed by Suin is one of the modules that use XOOPS_TRUST_PATH
(http://suin.jp/modules/mydownloads/singlefile-cid-10-lid-12.html)

Note: Bulletin works fine under original Xoops even though Suin does not specify support for the platform.

To use XOOPS_TRUST_PATH, you must edit mainfile.php to add a constant defining XOOPS_TRUST_PATH location.

The location should be out of your document root to take advantage of the secure feature.

If your Xoops web root is
/home/yourname/public_html

Then you should create a directory under /home/yourname, parallel to public_html (NOT UNDER it, otherwise it will defeat the whole security purpose of moving files out of the web root).

We will create and name the directory as “xoops-secure”, so we add one entry into mainfile.php
define('XOOPS_TRUST_PATH','/home/yourhome/xoops-secure');

Then create a directory named “modules” under xoops-secure. Don’t forget to chmod 705 both directories for extra securities.

Unzip the Bulletin module. The Bulletin module has two directories:
html/modules/bulletin – upload contents to your web root as you would do with regular modules
xoops_trust_path/modules/bulletin – upload contents to under xoops-secure/modules/

Do the module installation as usual, you will have one module called bulletin installed with your Xoops.

Now, we will install a second instance of the same Bulletin module.

You can rename bulletin under html/modules/bulletin to whatever you want to - let us name it “xnews”. Upload the contents to modules directory under web root. Then install it, now you have two identical Bulletin modules installed – bulletin and xnews!

You could rename the Bulletin module name for the first time, even you are going to use Bulletin module only once. You are free to rename Bulletin to whatever name you have in mind if you don’t want to use the name for your modules.

The bulletin module name under XOOPS_TRUST_PATH can not be changed. If you wish to make changes to the module files, you should do that under XOOPS_TRUST_PATH/modules/bulletin, as the module files under Xoops root are all re-direct files.

To differentiate the two instance of the Bulletin module, you can customize template files (GIJOE’s tplsadmin module is a great way of modifying template files).


Words of Caution Using Bulletin
Bulletin provides an easy way of converting existing News module articles into Bulletin articles. If you have an existing site with large number of articles, you should think twice before you covert them.

Bulletin URLs are different from News URLs. Converting and Using Bulletin will totally mess up your search engine index. If you are getting a fair amount of traffic from search engines you probably should not do the conversion.

If you start anew, Bulletin modules should be seriously considered as an alternative to News module.


Words of Caution Using D3
The template files are centralized - if your UPDATE the module, the template files of all duplicated modules will be overwritten.


Other Things You Can Play with XOOPS_TRUST_PATH
"Fastest Cache per each page" hack by GIJOE.

This Q&A was found on XOOPS Web Application System : https://xoops.org/modules/smartfaq/faq.php?faqid=702