On Thu, 2006-01-05 at 13:29 -0500, Khalid B wrote:
1. Security. Separate public files from non-public files and make it easy to move all non-public files out of the document root.
That is a good idea, and I think this is what Ted (ma3verik) was saying all along.
This makes part of Drupal live above DocumentRoot, mainly code (includes, modules), as well as configuration (settings.php). CSS stuff has to be under DocumentRoot still.
There will be implications if we take this too far though, for example, if a module has .css files in it, then do we separate the .module from .css in different directories? This would then make installation a pain since files have to be copied elsewhere.
ok... I'll conceed on the file system security for settings.php and the like... just to propose one filstructure that isn't too massive of a move around... 1) move settings outside of doc root, since it is probably the only file that represents a real security risk if it is compromised... ~/drupal-private/default/settings.php ~/drupal-private/example.com/settings.php 2) move everything under drupal folder so sites, modules, etc can exist as they are, leaving index.php in the doc root. ~/public_html/drupal/