kraymer wrote:
On Tue, 04 Mar 2008 17:04:53 -0500, Jim Pingle lists@pingle.org wrote:
Thomas Bruederli wrote:
Please let me know what you think of it and what's not working correctly. Thanks!
This may be partly my ignorance of svn commands showing, but is there any way to prevent the 'installer' folder from coming back every time you run "svn update"?
You could change ownership to root, group to www-data (apache), then chmod 700. svn update works and the folder is not visible nor accessible for the web server. IMO this is protection enough. After all, you trust the web server to protect your config file too.
Someone else had mentioned making it unreadable by the web server, and I think that may be the route I go with. The same trick could also be used for the .svn directories, even if they are protected by Apache's access controls, a little extra security doesn't hurt in this case.
For the rest of the discussion, roundcube could also add a login for the installer. Another great project, "gallery" (gallery.menalto.com), does this for their updater script (run after svn updates) and it works pretty well (of course, you can still just delete/move the folder..).
There are a few other projects that go this route, such as eGroupWare. The main problem with that route on RoundCube is how you set the password in the first place. RoundCube doesn't have its own internal database of usernames and passwords like Gallery or other projects, or a mechanism by which to designate any certain login an administrator. It could be solved or worked around, but it could end up making the installation more complex.
Jim _______________________________________________ List info: http://lists.roundcube.net/dev/