Core folder is accessible by web

This is still problematic. The system cache folder is in the core directory. By default PHPThumb and PThumb store their caches in this folder (logically, it's the cache). The .htaccess file that ships with 2.4.0-pl does not clear the warning when applied and when the above version which blocks all files is used, it blocks access to cached images.

Moving the core folder is obviously ideal but often not feasible for an existing build.

To get around this I'm using this in my .htaccess in the install root.



It basically prevents access to files in core unless they have one of the specified extensions.

Quote from: freelancewebdev at Sep 08, 2015, 06:41 PM

Moving the core folder is obviously ideal but often not feasible for an existing build.

I'm not sure why you say this. I've moved the core directory of an existing build many times. You just need to adjust the config files.

Quote from: BobRay at Sep 09, 2015, 09:50 PM

Quote from: freelancewebdev at Sep 08, 2015, 06:41 PM

Moving the core folder is obviously ideal but often not feasible for an existing build.

I'm not sure why you say this. I've moved the core directory of an existing build many times. You just need to adjust the config files.

Bob - is there any documentation anywhere about all the paths that need to be updated to move the core folder once installed and site running?

Sure, right here

The MODX_CORE_PATH entry needs to be changed in core/config/config.inc.php -- *after you copy the core to its new location*

And the core path also needs to be changed in the three config.core.php files in these three directories:

modx root
manager
connectors

That should do it. Just copy the core directory to its new location and change the paths listed above. Back up each of the 4 config files by duplicating them and adding "old-" in front of their names before editing the non-old ones. Rename the original core directory so you know it's no longer in use. That way you can revert easily if it doesn't work.

After making the changes, delete all files in the core/cache directory and clear the browser cache and cookies before logging in.

To help you understand -- whenever MODX needs to know where things are, it reads the nearest config.core.php file to find out where the core is and what the config key is (determines the prefix of the main config file; default is 'config'). Now it knows the location of the core and the name of the config file. It reads that file (usually called config.inc.php) to get all the locations.

OK thanks Bob - this way doesn't involve needing to re-run setup then yeh - I'd like to avoid that as I don't want to mess the site up! https://rtfm.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution mentions needing to do this.

Does The modx_workspaces database table also need updating? https://rtfm.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution mentions this - surely this is possible by using phpMyAdmin rather than re-running setup?

You can check the modx_workspaces table in the DB, but I think recent versions have generic code there and will get the path from the config file, so you shouldn't need to edit it unless it contains a hard-coded path.

Running Setup, BTW, is harmless as long as the config files are correct. I've done it literally hundreds of times.

Quote from: BobRay at Oct 16, 2015, 06:37 AM

Sure, right here

The MODX_CORE_PATH entry needs to be changed in core/config/config.inc.php -- *after you copy the core to its new location*

And the core path also needs to be changed in the three config.core.php files in these three directories:

modx root
manager
connectors

That should do it. Just copy the core directory to its new location and change the paths listed above. Back up each of the 4 config files by duplicating them and adding "old-" in front of their names before editing the non-old ones. Rename the original core directory so you know it's no longer in use. That way you can revert easily if it doesn't work.

After making the changes, delete all files in the core/cache directory and clear the browser cache and cookies before logging in.

To help you understand -- whenever MODX needs to know where things are, it reads the nearest config.core.php file to find out where the core is and what the config key is (determines the prefix of the main config file; default is 'config'). Now it knows the location of the core and the name of the config file. It reads that file (usually called config.inc.php) to get all the locations.

Hi bob, I have done all of this - and still get the note in the manager to say the Core folder is still accessible!???

Is the old core folder still there? Did you delete all files in the new core/cache directory?

Quote from: BobRay at Oct 23, 2015, 09:17 PM

Is the old core folder still there? Did you delete all files in the new core/cache directory?

Nope - old core is gone, deleted all files in the core/cache folder yep! odd eh!

Definitely strange.