Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRM_Utils_Check - Soften messages for read-only extensionsDir #11895

Merged
merged 3 commits into from Mar 29, 2018
Merged

CRM_Utils_Check - Soften messages for read-only extensionsDir #11895

merged 3 commits into from Mar 29, 2018

Commits on Mar 28, 2018

  1. CRM_Utils_Check_Component_Env - Remove redundant check for extensionsDir 

    When you have a non-writeable extensions directory, *two* status checks will
copmlain about it (`checkDirsWritable`, `checkExtensions`).  Between the two,
`checkExtensions` is smarter.
    @totten
    totten committed Mar 28, 2018
    Configuration menu
    Copy the full SHA
    1c6ff0a View commit details
    Browse the repository at this point in the history

  2. CRM_Utils_Check_Component_Env - Soften messages for read-only extDir 

    There are competing schools of thought on whether extension folders should be web-writable:

* Sometimes, the most active (or the only) admins are web-based. Making the folder writeable lets them keep extensions up-to-date through the web UI.
  This includes applying security-fixes for extensions. Thus, sites with writeable extdir are harder to attack (more secure).
* Sometimes, the most active (or the only) admins don't use the web-based admin UI, and they don't trust any web-based users to do administration.
  They don't want the folder to be writeable.
* If there's a flaw that allows writing to the filesystem, it could be escalated to writing+executing code. Thus, sites with read-only
  extdir are harder to attack (more secure).

This commit tries to accept each scenario as valid -- but communicate
better.  Instead of flatly describing the read-only dir as erroreous,
present a warning with some choice/trade-off.
    @totten
    totten committed Mar 28, 2018
    Configuration menu
    Copy the full SHA
    37b705a View commit details
    Browse the repository at this point in the history

  3. CRM_Utils_Check_Component_Env::checkExtensions - Fix typo

    @totten
    totten committed Mar 28, 2018
    Configuration menu
    Copy the full SHA
    599164f View commit details
    Browse the repository at this point in the history