[carsonk]

Hello,

I have a few questions about FTP and Apache. In an ideal situation, I'd like to have an FTP account have access to a single folder storing templates (Smarty template [.tpl] files), and these FTP users will only be able to edit and upload template files.

If it is not possible to restrict file types, I would like scripts in the directory to not be able to retrieve any files outside the directory. For example, my designers would not be able to upload a PHP script that is able to read the Database password.

Structure

• /
  
  • /templates/ - should be able to only hold .tpl files, or scripts cannot retrieve information from outside folders
    
  • /common.php - storing MySQL pass, should not be able to be retrieved from scripts inside /templates/

Thanks in advance for your help, and if any clarification is needed, please ask.

[carsonk]

Can someone please answer this question?

[Atli]

Hey.

It seems to me that you may find it simpler to just create a PHP upload script that your designers could use to add/edit the .tpl files.

That way you could have complete control over what gets put where and how, and you could use .htaccess files to restrict access to both the upload scripts and the actual .tpl directories, thus making it damn near impossible to add and execute harmful files.

For instance, if you have a upload script at /dev_tpl_upload.php that accepted only .tpl files and placed them in /templates/. You could add a .htaccess files into the /templates/ directory that read:

deny from all

And now Apache would deny all attempts to access those files from the outside. PHP (Smarty) would still be able to read them though.

I suggest you read up on Apache's ability to control access to directories. The Authentication, Authorization, and Access control article at apache.org is a great place to start.

[carsonk]

Atli, on 11 March 2011 - 08:28 PM, said:

Hey.

It seems to me that you may find it simpler to just create a PHP upload script that your designers could use to add/edit the .tpl files.

That way you could have complete control over what gets put where and how, and you could use .htaccess files to restrict access to both the upload scripts and the actual .tpl directories, thus making it damn near impossible to add and execute harmful files.

For instance, if you have a upload script at /dev_tpl_upload.php that accepted only .tpl files and placed them in /templates/. You could add a .htaccess files into the /templates/ directory that read:

deny from all

And now Apache would deny all attempts to access those files from the outside. PHP (Smarty) would still be able to read them though.

I suggest you read up on Apache's ability to control access to directories. The Authentication, Authorization, and Access control article at apache.org is a great place to start.

Thank you very much for your help! I was considering doing that, but I didn't know if there was a more efficient way. I'll read over that document.