I just started testing alpha2 and everything is going well so far. When I installed Drupal, I noticed that it was asking me to create directories for the private file system within the webroot (/sites/default/private/files and /temp).

Doesn't this seem to defeat the purpose of private files since after installation, these files would be accessible from a browser? Shouldn't the installer at least try and create the folders in a non web accessible location?

I would recommend 'WEBROOT/drupalprivate/[site name]/files' and 'WEBROOT/drupalprivate/[site name]//temp'.

I am setting this to critical because I think it leaves a false sense of security to administrators who would leave this as the default.

Comments

bsherwood’s picture

bsherwood commented
Version: 7.0-alpha2 » 7.x-dev

Tagging 7.x-dev but I saw this in alpha2

David_Rothstein’s picture

David_Rothstein commented
Status: Active » Closed (duplicate)

Yup, this is bad for a number of reasons - thanks for reporting it! It's being discussed pretty heavily over at #551658: Figure out what to do about new private/public file separation, though.