-
Notifications
You must be signed in to change notification settings - Fork 941
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move config directories (et al.) out of the webroot #86
Comments
👍 @greg-1-anderson proposed a different layout for Maybe this helps to move forward? |
👍 for settings.php in the repo. Lets ping a few other people :) // cc @drupal-composer/contributors @weitzman @deviantintegral @yched @pfrenssen @jcnventura |
settings.php in the repo is fine for me.
|
In drops-8, Pantheon modifies default.settings.php in addition to settings.php, because Drupal's instructions for reinstallation state that you should "copy your default.settings.php file over your settings.php file" if you want to re-install Drupal. If we simply modify settings.php, then we run the risk that users might blindly follow these instructions, removing customizations (config and private directory locations) that they did not realize were there. The situation here is different, though; Pantheon maintains drops-8 as a fork, but I don't think that this project wants to maintain a fork of Drupal, even for a file like default.settings.php. I am also reluctant to recommend additional scripts and hooks to fix up the default.settings.php. Perhaps the best thing to do would be to commit a settings.php file to the repository that contains comments recommending that the user relocate the config and private directories. We could also put an advisory in the README. This way, when the user followed these instructions, they would be aware that settings.php was no longer in a default state, and would be less likely to overwrite their customizations with default.settings.php. I admit that it would be nice if config and private files were simply placed in a nice location by default, so I am open to suggestions about which of these alternatives is actually best. |
Didn't read @weitzman's comment until after I saved mine. I think it sounds like comments in settings.php is perhaps the best way to go. |
+1 for settings.php in repo w/ include for settings.local.php |
@jcnventura: are voting for a settings.php file that uses:
or
|
+1 on this |
+1 |
As mentioned above, core treats settings.php files as "fork and edit", and using composer is already bringing in many differences compared to how a typical Drupal site is built. The fewer composer specific steps we have, the easier it is to get a new team on board with it. I'd say we should go for comments with suggestions, and only change default config values if there is a direct security implication or if it breaks using composer entirely. |
Another alternative would be to put the suggested configuration file settings into some other example file that we maintain here. We could then append this recommended file to the end of default.settings.php after |
We did this in 2f45db3 |
Hi @webflo I think this is still an issue! I have to manually create ..config/sync directory. The installer can't handle it. I am working in my home directory, no permission problems. The ..config/sync won't get created. I am using nginx as webserver, with this example vhost: Composer installed globally. Installation done with: Everything works fine. But the ..config/sync directory can't get created. Installing drupal-composer/drupal-project (8.x-dev c5f0d69) |
The web server user needs write permissions to the parent directory. |
Thanks @joelpittet. Isn't that a security issue when moving my installation to production server? |
It was only possible for me after I have followed this guide: My permissons:
This works for nginx as well! |
Hi @joelpittet, I am currently working on an ebook about drupal 8, could you confirm following the guide I already shared with you is a good way to go? Cheers |
We could add |
Brilliant Idea!!
…On 16 January 2018 at 08:51, Florian Weber ***@***.***> wrote:
We could add config/sync/README.txt to the git repo and the install
script should make the folder writable. Similar to how we handle is with
sites/default/files.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIQ87JraajVbb3udrpz8cHbt6LBxo5VUks5tLGMHgaJpZM4Gvwq0>
.
|
Feature/WIOA-481 all plans Approved-by: Gerardo Maldonado <gerardo.maldonado@bixal.com>
It is a best practice to move as much as possible outside of the webroot. Specifically Drupal's config directories are stored inside of the webroot by default, but they really should be placed outside if possible. Because we have the dedicated
web
directory for the webroot, we can easily do this in the template, so that everyone using it automatically benefits from the added security measure.We simply have to change
in the
default.settings.php
toSome questions/problems arise from this, however (which is why I did not do a pull request directly):
web
directory, people might have different naming patterns. I always useconfig
for this, but people might have non-Drupal-specific config in their repos or whatever.update-scaffold
script when run, would revert any custom modifications to thedefault.settings.php
so I think we should find a solution to that before doing any custom modifications. One possibility would be to also commit a patch file, which theupdate-scaffold
script then applies. Not sure.Anyway, wanted to put this out there, so we can discuss.
Once we have figured this out, we should (IMO) also move private files (!!!) and also translation files out of the webroot, but I thought config was a good place to start.
The text was updated successfully, but these errors were encountered: