Mosaico issue with Apache2 in conflict with CiviCRM deny orders [#2981207]

At the moment I am running my instances on hostmaster7.x-3.146 and have enabled civicrm integration.
I have done SSL manually but everytime I had to delete following line for protecting civicrm due that it caused conflict with CiviCRM extension Mosaico (or add proposed one bellow). Now we are going to run https automatically from aegir and need to have this sorted out before doing the switch, due that verify is restoring this part of configuration always.

The following line is:

# Extra configuration from modules:
<Directory "/var/aegir/platforms/drupal-7.57/sites/example.org/files/civicrm">
  Order allow,deny
  Deny from all
</Directory>

Perhaps there should be one more add to the config that allows all from extension folder? Or just image extensions at least, opened for solutions/discussion.

<Directory "/var/aegir/platforms/drupal-7.57/sites/example.org/files/civicrm/ext">
  Order allow,deny
  Allow from all
</Directory>

From what I tested it works peachy, just needs to be patched in next release of Aegir. If its not a proper solution, do tell me better one you have on mind and how will it be patched (if its more advanced).
Relating to 3 years old issue, as in either its not solved or from then mosaico changed where it keeps its images.

Thanks in advance,
Shwele

Comment	File	Size	Author
	mosaico1.png	107.02 KB	Shwele
	mosaico2.png	50.3 KB	Shwele

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

22 June 2018 at 12:28

Shwele created an issue. See original summary.

Comment #2

bgm CreditAttribution: bgm at Coop SymbioTIC commented 22 June 2018 at 13:35

I would suggest placing those types of extensions in /vendor/civicrm (in the root of your platform), assuming that everyone in your platform has access to them?

Edit: although you're right, and we should add that line. It wouldn't hurt. For a long time, CiviCRM didn't have an official directory for extensions, so it made this more difficult, but I think that it now defaults to /files/ext/. On the other hand: in Aegir (with a shared-hosting model), you usually don't want users installing their own extensions, it goes around the security model.

Comment #3

Shwele CreditAttribution: Shwele commented 22 June 2018 at 13:41

Then maybe workaround would be to allow only pictures, aka all img extensions.

It should be included in platform conf too, because some of the modules, you would want to put them inside of civicrm itself.

For example, shoreditch theme, I've moved it from local website sites/example.com/files/civicrm/ext/ to sites/all/modules/civicrm/ext/ , due that each client will be using theme and on upgrades I will just restore extension there.

Just laying out that its not only for sites, but for platforms as well (if its protected). At some point I will move mosaico to that folder as well.

Comment #4

bgm CreditAttribution: bgm at Coop SymbioTIC commented 22 June 2018 at 13:47

> "Just laying out that its not only for sites, but for platforms as well (if its protected). At some point I will move mosaico to that folder as well."

I'm not sure what you mean. If you share extensions between sites (i.e. if the extension is part of your platform, available to all sites), use /vendor/civicrm.