-
- 24,544 Posts
@Himurovich How does that affect snippets and plugins that have to read from and write to those directories?
-
- 1,145 Posts
Pardon my imperfect lingo.
The snippets and plugins would have the same rights as MODX PHP, and all run as normally once web access session has begun by successful logging in.
Now, if you are not there, that is, not logged in, all scripts would fail - and that's what we want, because it is either a hacker or a badly written frontend Extra overreaching and poke-nosing in the mgr sections.
This is my own experience in a fully working site.
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
-
- 24,544 Posts
I was thinking about the current version of UpgradeMODX, which writes a script to the root, then launches it. The script runs outside of MODX.
-
- 1,145 Posts
I remember making a promise to test that ... will get to it ASAP.
It would be a bummer if there were any hiccups.
But I imagined since the user would be running it from within MODX (that is, after having logged in), a session would be supplied to the browser to allow access to those protected folders.
I am assuming that the session being browser-wide would accommodate any script working within or without MODX.
Unless "The script runs outside of MODX." completely eludes me.
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
-
- 24,544 Posts
It's a new request and everyone is logged out, so if the session is tied to a user, it's probably gone, but if it's still alive in the browser, things should be good. There's also a separate launch of setup using JS replace().
FYI, you can set back the settings_version System Setting to an earlier version (doesn't have to exist) and "Upgrade" to your current version.
-
- 463 Posts
Just wondering if anyone had the chance to test this yet? Just not been able to find the time myself but would be interested to know.