Commit 4fad4a2e authored by Nigel McNie's avatar Nigel McNie

Add 'insecuredataroot' configuration setting.

This allows you to run more than one separate Mahara installation against the same dataroot, as long as they're the same version. The setting should be untouched otherwise!
parent f1ff6b4c
......@@ -48,6 +48,17 @@ $cfg->dbprefix = '';
// this is a big security hole.
$cfg->dataroot = '/path/to/uploaddir';
// insecuredataroot - whether to enforce checking that files being served have
// come from dataroot. You would only want to turn this on if you were running
// more than one Mahara against the same dataroot. If you are doing that, make
// sure you create separate dataroots for each installation, but symlink the
// artefact directory from all of them to one of them, and turn on
// 'insecuredataroot' on all the ones you created symlinks for.
//
// If you don't know what you're doing/didn't understand the paragraph above,
// then leave this setting alone!
//$cfg->insecuredataroot = false;
// system mail address. emails out come from this address.
// if not specified, will default to noreply@ automatically detected host.
// if that doesn't work or you want something else, then specify it here.
......
......@@ -56,7 +56,7 @@ function serve_file($path, $filename, $options=array()) {
'lifetime' => 86400
), $options);
if (substr($path, 0, strlen($dataroot)) != $dataroot) {
if (!get_config('insecuredataroot') && substr($path, 0, strlen($dataroot)) != $dataroot) {
throw new AccessDeniedException();
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment