Skip to main content
This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.
Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with
<?php phpinfo(); ?>
and then call
http://www.silversite.com/assets/phpinfo.php to get any information!
With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!
I would assume the general consensus is that you trust the users who have permission to access the admin area, and even more so the file uploads area.
But the ordinary content editor should be able to upload images, pdfs and the like.
He should not be able to access the whole system in this way by uploading code.