diff options
| author | zotlabs <mike@macgirvin.com> | 2018-06-13 20:27:10 -0700 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2018-06-13 20:27:10 -0700 |
| commit | b5e4a5f51c478d646248c5a9eb22907cda32dd3e (patch) | |
| tree | b4ecb976146066ed4d93a1959695ad064b317331 /Zotlabs/Module/Cloud.php | |
| parent | 65cbc7c2bba523a2663a89fae29b5cef162fd0a1 (diff) | |
| download | volse-hubzilla-b5e4a5f51c478d646248c5a9eb22907cda32dd3e.tar.gz volse-hubzilla-b5e4a5f51c478d646248c5a9eb22907cda32dd3e.tar.bz2 volse-hubzilla-b5e4a5f51c478d646248c5a9eb22907cda32dd3e.zip | |
SECURITY: provide option to disable the cloud 'root' directory and make the cloud module require a target channel nickname. This is a low impact change as there is currently no disclosure of private information. The presence of a file browser for all the channels on the site could be (and is reported to be) a concern to some people and there is no reason why it shouldn't be optional.
Diffstat (limited to 'Zotlabs/Module/Cloud.php')
| -rw-r--r-- | Zotlabs/Module/Cloud.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Zotlabs/Module/Cloud.php b/Zotlabs/Module/Cloud.php index 34397d275..1b330ecba 100644 --- a/Zotlabs/Module/Cloud.php +++ b/Zotlabs/Module/Cloud.php @@ -35,11 +35,20 @@ class Cloud extends \Zotlabs\Web\Controller { if (argc() > 1) $which = argv(1); + + if (argc() < 2 && intval(get_config('system','cloud_disable_siteroot'))) { + notice( t('Permission denied.') . EOL); + construct_page(); + killme(); + } + $profile = 0; if ($which) profile_load( $which, $profile); + + $auth = new \Zotlabs\Storage\BasicAuth(); $ob_hash = get_observer_hash(); |