From e7137e2db3da66a91eaabc47fd5603cfcfa8214e Mon Sep 17 00:00:00 2001 From: jelhan Date: Fri, 19 Aug 2016 00:23:49 +0200 Subject: [PATCH] make path of data dir configurable Closes #109 --- README.md | 6 +++++- api/config.default.php | 9 +++++++++ api/cron.php | 8 +++++--- api/index.php | 12 +++++++----- api/utils/get-config.php | 13 +++++++++++++ ember-cli-build.js | 2 +- 6 files changed, 40 insertions(+), 10 deletions(-) create mode 100644 api/config.default.php create mode 100644 api/utils/get-config.php diff --git a/README.md b/README.md index 846d2f3..4ad4ee0 100644 --- a/README.md +++ b/README.md @@ -44,9 +44,13 @@ ember build --prod Afterwards copy all files in /dist folder to your werbserver. +### Configuration +Api could be configured by creating a `config.php` inside `api/` folder which returns an associative array. +Have a look at `api/config.default.php` for available options. + ### Webserver configuration -* `data/` folder has to be writeable by web server, but **must not** be accessible publicy. That means protect it in your webserver configuration! +* `data/` folder has to be writeable by web server, but **must not** be accessible publicy. Protect it in your webserver configuration or move it out of webroot by changing `dataDir` api option. * Croodle uses [subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (SRI) for assets. Therefore you **must not** tamper with build output (e.g. you have to disable cloudflare [*Auto Minify*](https://support.cloudflare.com/hc/en-us/articles/200167996-Does-CloudFlare-have-HTML-JavaScript-and-CSS-compression-features-) feature). If that's not an option for you, you have to [disable SRI](https://github.com/jonathanKingston/ember-cli-sri#options) and build yourself. * HTTPS connection should be forced. You should consider using [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) (HSTS) and [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning) (HPKP). * [Content-Security-Policy](http://content-security-policy.com/) (CSP) should be used. Default CSP headers are provided in `.htaccess` file but commented out. diff --git a/api/config.default.php b/api/config.default.php new file mode 100644 index 0000000..4b78b4b --- /dev/null +++ b/api/config.default.php @@ -0,0 +1,9 @@ + '../data/' +); diff --git a/api/cron.php b/api/cron.php index b3e6c90..e4e3d40 100644 --- a/api/cron.php +++ b/api/cron.php @@ -11,13 +11,15 @@ if (php_sapi_name() !== 'cli') { } require_once 'classes/poll.php'; +require_once 'utils/get-config.php'; + +$path = substr($argv[0], 0, -8); +$config = getConfig($path); +define('DATA_FOLDER', isset($argv[1]) ? $argv[1] : $path . $config['dataDir']); $startTime = time(); $pollsProcessed = 0; -$path = isset($argv[1]) ? $argv[1] : substr($argv[0], 0, -8); - -define('DATA_FOLDER', $path . '../data/'); $dataDirHandler = opendir(DATA_FOLDER); if(!$dataDirHandler) { throw new Exception('could not open data dir'); diff --git a/api/index.php b/api/index.php index 6e6635e..82484d7 100644 --- a/api/index.php +++ b/api/index.php @@ -6,18 +6,20 @@ use \Psr\Http\Message\ServerRequestInterface as Request; use \Psr\Http\Message\ResponseInterface as Response; +require 'vendor/autoload.php'; +require_once 'classes/poll.php'; +require_once 'classes/user.php'; +require_once 'utils/get-config.php'; + +$config = getConfig(); if (php_sapi_name() == 'cli-server') { // assume that cli-server is only used for testing define('DATA_FOLDER', 'tests/_tmp/data/'); } else { - define('DATA_FOLDER', '../data/'); + define('DATA_FOLDER', $config['dataDir']); } -require 'vendor/autoload.php'; -require_once 'classes/poll.php'; -require_once 'classes/user.php'; - function pollIdIsValid($pollId) { return preg_match('/[^A-Za-z0-9]/', $pollId) === 0; } diff --git a/api/utils/get-config.php b/api/utils/get-config.php new file mode 100644 index 0000000..f4dfcbd --- /dev/null +++ b/api/utils/get-config.php @@ -0,0 +1,13 @@ +