Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove user-editable configuration files from distribution / version control #213

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
/hashover/comments/
/hashover/config/secrets.ini
/hashover/config/blocklist.json
/hashover/config/ignored-queries.json
/hashover/config/settings.json
2 changes: 1 addition & 1 deletion hashover/admin/views/settings/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ function settings_array (Setup $setup)
$submitted = true;
} else {
// Set submission indicators
$title = 'Failed to Settings!';
$title = 'Failed to save Settings!';
}
}

Expand Down
36 changes: 20 additions & 16 deletions hashover/backend/classes/secrets.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,22 +7,6 @@
// This applies worldwide. If this is not legally possible, I grant any
// entity the right to use this work for any purpose, without any
// conditions, unless such conditions are required by law.
//
//--------------------
//
// IMPORTANT NOTICE:
//
// To retain your settings and maintain proper functionality, when
// downloading or otherwise upgrading to a new version of HashOver it
// is important that you preserve this file, unless directed otherwise.
//
// It is also important to choose UNIQUE values for the encryption key,
// admin name, and admin password, as not doing so puts HashOver at
// risk of being hijacked. Allowing someone to delete comments and/or
// edit existing comments to post spam, impersonate you or your
// visitors in order to push some sort of agenda/propaganda, to defame
// you or your visitors, or to imply endorsement of some product(s),
// service(s), and/or political ideology.


class Secrets
Expand All @@ -38,4 +22,24 @@ class Secrets

// Login password to gain admin rights (case-sensitive)
protected $adminPassword = 'passwd';

protected function getSecretConfigPath() {
return dirname(dirname(__DIR__)) . '/config/secrets.ini';
}

function __construct() {
$config_file_name = $this->getSecretConfigPath();
if (!file_exists($config_file_name)) {
throw new \Exception (sprintf (
'Please create the file %s (using secrets.ini.sample as a template)',
$config_file_name
));
}

$arr = parse_ini_file($config_file_name);
$this->notificationEmail = $arr['notification-email'];
$this->encryptionKey = $arr['encryption-key'];
$this->adminName = $arr['admin-name'];
$this->adminPassword = $arr['admin-password'];
}
}
9 changes: 7 additions & 2 deletions hashover/backend/classes/settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,8 @@ class Settings extends Secrets

public function __construct ()
{
parent::__construct();

// Theme path
$this->themePath = 'themes/' . $this->theme;

Expand Down Expand Up @@ -192,10 +194,13 @@ function isHTTPS ()
return false;
}

// Returns a server-side absolute file path
// Given a path relative to the HashOver root directory,
// returns the server-side absolute file path
public function getAbsolutePath ($file)
{
return realpath ($this->rootDirectory . '/' . trim ($file, '/'));
// NB: Not using realpath() here to allow working with paths not
// pointing to existing files, and to avoid unnecessary symlink resolution.
return $this->rootDirectory . '/' . trim ($file, '/');
}

// Returns a client-side path for a file within the HashOver root
Expand Down
6 changes: 3 additions & 3 deletions hashover/backend/classes/setup.php
Original file line number Diff line number Diff line change
Expand Up @@ -111,23 +111,23 @@ public function __construct (array $usage)
if ($this->notificationEmail === '[email protected]') {
throw new \Exception (sprintf (
'You must use a UNIQUE notification e-mail in %s',
$this->getBackendPath ('classes/settings.php')
$this->getSecretConfigPath()
));
}

// Throw exception if encryption key is set to the default
if ($this->encryptionKey === '8CharKey') {
throw new \Exception (sprintf (
'You must use a UNIQUE encryption key in %s',
$this->getBackendPath ('classes/settings.php')
$this->getSecretConfigPath()
));
}

// Throw exception if administrative password is set to the default
if ($this->adminPassword === 'password') {
throw new \Exception (sprintf (
'You must use a UNIQUE admin password in %s',
$this->getBackendPath ('classes/settings.php')
$this->getSecretConfigPath()
));
}

Expand Down
1 change: 0 additions & 1 deletion hashover/config/blocklist.json

This file was deleted.

1 change: 0 additions & 1 deletion hashover/config/ignored-queries.json

This file was deleted.

25 changes: 25 additions & 0 deletions hashover/config/secrets.ini.sample
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
; IMPORTANT NOTICE:
;
; To retain your settings and maintain proper functionality, when
; downloading or otherwise upgrading to a new version of HashOver it
; is important that you preserve this file, unless directed otherwise.
;
; It is also important to choose UNIQUE values for the encryption key,
; admin name, and admin password, as not doing so puts HashOver at
; risk of being hijacked. Allowing someone to delete comments and/or
; edit existing comments to post spam, impersonate you or your
; visitors in order to push some sort of agenda/propaganda, to defame
; you or your visitors, or to imply endorsement of some product(s),
; service(s), and/or political ideology.

; E-mail for notification of new comments
notification-email = [email protected]

; Unique encryption key (case-sensitive)
encryption-key = 8CharKey

; Login name to gain admin rights (case-sensitive)
admin-name = admin

; Login password to gain admin rights (case-sensitive)
admin-password = passwd
51 changes: 0 additions & 51 deletions hashover/config/settings.json

This file was deleted.