CSS

It would depend on how you are making the file available. If you are just providing a link for downloading the file, anyone will be able to access the file if they know the URL to the file.

If you are using a PHP streaming method to supply the file, then you can use .htaccess security to deny access to the .pdf directory or the .pdf files themselves. Since PHP is reading the file, it has no bearing on the server's denial; the server only denys external requests for the file via URL.

For example, I often install a backup application that has its own config.inc.php file. Anyone who wants to can download that file, and get my backup application login, back up my site using it, and then from the site backup get my MODx config files to find the database information. To prevent this, I added a directive in my .htaccess



A PHP file (such as index.php) that needs the information can include the file with no problem, but anybody who tries accessing domain.com/backup/config/config.inc.php in a browser will be denied.

I was just writing something similar but Susan beat me to it You might also have the files uploaded outside the web root (and direct the Media Source there) if your MODX configuration allows for it.

I guess I don't need to say it but be careful about what people are able to upload - and possibly execute - on your server!

@Lucas and Susan:

Good information for others! I actually have a supplemental post outside of this (as the main OP was asking about CSS). Would you care to post your info there? http://forums.modx.com/thread/78579/question-regarding-modx-media-sources-and-security

Quote from: okyanet at Aug 13, 2012, 08:25 AM

Apologies to the OP - this is all probably a bit more than you expected

No apology needed. It is indeed more than I expected but I'm happy that I posted such a thought-provoking discussion. Who knew?!

In my case I have my CSS (and js) files in a 'css' folder (or 'js' respectively) outside of MODX and I link to them in the usual manner via a Chunk. This seems to work fine for my needs at the moment.

I did watch Fuzzy's videos for RO.IDE and the little I understood seems interesting but I was left with more questions than answers. Maybe once it's released and with comprehensive docs I can glean a clearer understanding of how it would benefit me and the way I work. I'll keep an eye out for its debut.

Thanks to all of you. I'm clearly "over my skis" with a lot of what MODX can do but it's starting to sink in. Slowly.

... but I was left with more questions than answers.

It has to be understood that I am a software developer and not a web developer. I stopped doing client-based web-work a few years ago and am very happy to be back to cool software. So, my needs for MODX are to deliver a web application, not content. It won't apply to the majority of MODX users and it is not meant to. The difference between the two and what must be met are considerably different. (It probably also explains my paranoia *wink wink*)