October: What's the point of not using default Laravel structure (public dir esp.)?

Created on 13 Feb 2017 · 6Comments · Source: octobercms/october

Hello.

Please, tell me, why you choose to place index.php (public folder root) in the app root?
Why not the same way (it's perfect, imo), as in Laravel and many other good frameworks to place public files away from core, so you don't have to care about security of not public app files and directories?
I can't understand the motivation for that. And that's what i really don't like to see cos of this:

rewrite ^themes/.*/(layouts|pages|partials)/.*.htm /index.php break;
rewrite ^bootstrap/.* /index.php break;
rewrite ^config/.* /index.php break;
rewrite ^vendor/.* /index.php break;
rewrite ^storage/cms/.* /index.php break;
rewrite ^storage/logs/.* /index.php break;
rewrite ^storage/framework/.* /index.php break;
rewrite ^storage/temp/protected/.* /index.php break;
rewrite ^storage/app/uploads/protected/.* /index.php break;

Question

Source

Jovian

Most helpful comment

To find out why, you'd have to ask @daftspunk.

Personally, I deploy my October projects via git and run several commands automatically after each deployment:

composer install; # Installs dependencies from composer.lock
php artisan down; # Enables maintenance mode
php artisan october:up; # Runs any pending migrations
rm -rf public; # Removes previous directory of whitelisted symlinks
php artisan october:mirror public --relative; # Create the new symlinks from the public directory to the project directory for a white listing approach to security
php artisan up; # Disable maintenance mode

LukeTowers on 13 Feb 2017

👍3

All 6 comments

The answer to your problem lies here: https://octobercms.com/docs/setup/configuration#public-folder. Set that up to get a whitelist approach to security instead of the blacklist approach that's used by default.

LukeTowers on 13 Feb 2017

Thank you for that blazing fast answer.
But, unfortunately, it's not answering my main question: why? Why it's default not as in Laravel.
I really want to understand this.

And this i found frustrating:

Note: The above command may need to be performed with System Administrator or sudo privileges. It should also be performed after each system update or when a new plugin is installed.

Jovian on 13 Feb 2017

To find out why, you'd have to ask @daftspunk.

Personally, I deploy my October projects via git and run several commands automatically after each deployment:

composer install; # Installs dependencies from composer.lock
php artisan down; # Enables maintenance mode
php artisan october:up; # Runs any pending migrations
rm -rf public; # Removes previous directory of whitelisted symlinks
php artisan october:mirror public --relative; # Create the new symlinks from the public directory to the project directory for a white listing approach to security
php artisan up; # Disable maintenance mode

LukeTowers on 13 Feb 2017

👍3

@LukeTowers, oh, ok, thank you. Good snippet!

Jovian on 13 Feb 2017

The primary reason is accessibility, public folder is a great solution but it can be confusing for newcomers, especially those coming from WordPress. October wants to be a nice place for WP refugees. This does raise the concern about WP's security history; October only allows the index.php script to be executed by the public, this alone makes it miles ahead in terms of security. The default .htaccess provided will enforce these rules and in general the site will not function without it.