SECURITY: provide option to disable the cloud 'root' directory and make the cloud module require a target channel nickname. This is a low impact change as there is currently no disclosure of private information. The presence of a file browser for all the channels on the site could be (and is reported to be) a concern to some people and there is no reason why it shouldn't be optional.
This commit is contained in:
zotlabs
parent
65cbc7c2bb
commit
b5e4a5f51c
@ -16,6 +16,10 @@ class Security {
|
||||
|
||||
$block_public = ((x($_POST,'block_public')) ? True : False);
|
||||
set_config('system','block_public',$block_public);
|
||||
|
||||
$cloud_noroot = ((x($_POST,'cloud_noroot')) ? 1 : 0);
|
||||
set_config('system','cloud_disable_siteroot',1 - $cloud_noroot);
|
||||
|
||||
|
||||
$ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
|
||||
set_config('system','whitelisted_sites',$ws);
|
||||
@ -87,6 +91,7 @@ class Security {
|
||||
'$page' => t('Security'),
|
||||
'$form_security_token' => get_form_security_token('admin_security'),
|
||||
'$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")),
|
||||
'$cloud_noroot' => [ 'cloud_noroot', t('Provide a cloud root directory'), 1 - intval(get_config('system','cloud_disable_siteroot')), t('The cloud root directory lists all channel names which provide public files') ],
|
||||
'$transport_security' => array('transport_security', t('Set "Transport Security" HTTP header'),intval(get_config('system','transport_security_header')),''),
|
||||
'$content_security' => array('content_security', t('Set "Content Security Policy" HTTP header'),intval(get_config('system','content_security_policy')),''),
|
||||
'$allowed_email' => array('allowed_email', t("Allowed email domains"), get_config('system','allowed_email'), t("Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains")),
|
||||
|
||||
@ -35,11 +35,20 @@ class Cloud extends \Zotlabs\Web\Controller {
|
||||
if (argc() > 1)
|
||||
$which = argv(1);
|
||||
|
||||
|
||||
if (argc() < 2 && intval(get_config('system','cloud_disable_siteroot'))) {
|
||||
notice( t('Permission denied.') . EOL);
|
||||
construct_page();
|
||||
killme();
|
||||
}
|
||||
|
||||
$profile = 0;
|
||||
|
||||
if ($which)
|
||||
profile_load( $which, $profile);
|
||||
|
||||
|
||||
|
||||
$auth = new \Zotlabs\Storage\BasicAuth();
|
||||
|
||||
$ob_hash = get_observer_hash();
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
|
||||
|
||||
{{include file="field_checkbox.tpl" field=$block_public}}
|
||||
{{include file="field_checkbox.tpl" field=$cloud_noroot}}
|
||||
{{include file="field_checkbox.tpl" field=$transport_security}}
|
||||
{{include file="field_checkbox.tpl" field=$content_security}}
|
||||
{{include file="field_checkbox.tpl" field=$embed_sslonly}}
|
||||
|
||||
Reference in New Issue
Block a user