security with additional repositories in data folder

[FotoVI]

Although it is recommended to create additional repositories outside of the web root,
many users create them inside of the data folder but lack knowledge about editing the .htaccess rules.
Thus, even repositories intended for private use are actually public.

I suggest setting access rules for the data folder in general to:

<../data/.htaccess>
    Order Deny,Allow
    Deny from all

And allowing access for public repositories:

<../data/publicfolder/.htaccess>
    Order Deny,Allow
    Allow from all
    <Files ".ajxp_*">
        Deny from all
    </Files>

The public access rule creation can be implemented as a feature that is set during repository creation, so even users without knowledge about .htaccess files get to create public repositories,
while enjoying security for private ones.

[cdujeu]

and that way we could also remove the .htaccess files under data/cache, data/tmp, etc... (they would be deny for all by default, right)?

[FotoVI]

yes, those are redundant in that case

[FotoVI]

You can start implementing this configuration right away,
the only variable I can see are newly created public folders by the user,
which need a .htaccess file created on the fly or a messagebox for admin provisionally.

[cdujeu]

impl. in dev branch