Hi all,
I discovered SilverStripe a couple of days ago, and it looks superb. A nice, intuitive but powerful CMS, with an MVC framework for extending the core functionality. Great stuff!
Anyway, I digress. The reason I'm posting is because I'd like to know if there's a way of installing the SilverStripe system files outside of my document root, ensuring that only the bare minimum of files are available via direct HTTP requests. (I've read in relation to other MVC frameworks that this approach is considered to be a security best practice.)
So far I've tried installing the entire system within my document root using the install script, then moving all the files except .htaccess into a folder parallel to my document root (say "SilverStripeSystem"), then editing the following line in .htaccess:
RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]
to read:
RewriteRule .* ../SilverStripeSystem/sapphire/main.php?url=%1&%{QUERY_STRING} [L]
This seems to pick up the template correctly, but returns a "page not found" message instead of the page content.
To rectify this, I tried editing SilverStripeSystem/sapphire/core/Core.php, changing the line:
define('BASE_URL', dirname(dirname($_SERVER['SCRIPT_NAME'])));
to
define('BASE_URL', '/SilverStripeSystem');
This caused the page content to be returned correctly, but the internal URLs were pointing to my SilverStripeSystem folder instead of my document root when rendered into HTML. At that point, I thought I'd seek help!
None of this is particularly urgent, of course, and I can just put the entire SilverStripe folder inside my document root if need be. However, if it's possible to achieve the configuration I'm outlining, I'd be particularly pleased.
Would it be worth adding a feature in the install script in a future version to allow the system files to be stored in a location of the user's choice?
Thanks.
Martin.