Security: Allow settings file to be stored outside docroot

Question

Security: Allow settings file to be stored outside docroot

Closed this issue 12 years ago · 0 comments

Right now the configuration is pretty tight and fragile.

All custom settings have to be in one JSON file and it has to be inside the docroot. Although it is protected against web entry in the Apache and NGINX configuration, contrary to PHP files, when they do get requested from the web server, they'll be served in plain text.

Instead it should be possible to store it somewhere outside the docroot for those that want that.

The challenge is how then to point TestSwarm to that path. The workaround solution I've seen in the wild is to put something like { "customLocation": "/etc/testswarm-config.json" } in the docroot settings and patch init.php to detect that and load from there.