We should not set file_private_path but instead let the site owner set the variable.

Initial patch for discussion will be attached.

CommentFileSizeAuthor
#1 file_private_path-1188202-1.patch804 bytesjoestewart

Comments

joestewart’s picture

joestewart commented
Status: Active » Needs review
StatusFileSize
new file_private_path-1188202-1.patch804 bytes

patch against 7.x-2.x attached that simply removes the setting of the variable.

The backup task should probably do a variable get instead of using a hardwired path, but that is not included here.

omega8cc’s picture

omega8cc commented
Category: bug » feature
Status: Needs review » Needs work

It is not a bug, it is by design.

We either have to still hardcode this path, or also stop creating this directory and also move responsibility for proper web server *extra* configuration to the user/admin land.

I don't think it is a good idea, but again, this is my opinion only.

Currently this path/directory is created with correct permissions by provision and the web server configuration (at least in Nginx) supports this *and only this* path. There is no way to make it working on the fly in the web server, just by allowing to set the variable to some arbitral path, so it must be hardcoded or the support for private directory completely removed.

omega8cc’s picture

omega8cc commented

Also, we can't allow to set the variable to anything by default, because it will allow you to create non-working (on the web server level) configuration - as some people will then try to set it in the web root and complain it is accessible directly.

And yes, Apache configuration already supports this, but maybe it should be changed to protect the /private/ level, to avoid confusion like here: http://drupal.org/node/1108810#comment-4600936

You can in fact store the protected files anywhere, because there is an Options +FollowSymLinks in place: http://drupalcode.org/project/provision.git/blob/HEAD:/http/apache/vhost...

anarcat’s picture

anarcat commented

I am not sure I understand the idea here either. Why wouldn't we set a sane default on install?

joestewart’s picture

joestewart commented
Status: Needs work » Closed (works as designed)

Why? Drupal doesn't provide a default.

Closing as it works as designed and is seen as a useful feature. With the apache and nginx configuration, the directory is not web accessible.

A couple of comments from webchick about setting a default private files directory -

#36 http://drupal.org/node/917492#comment-4386092
and
#41 http://drupal.org/node/917492#comment-4389712