docdev icon indicating copy to clipboard operation
docdev copied to clipboard

Published 20 hours ago verified publisher icon glpi-project

Reword the `Resource access restrictions` chapter

Open cedric-anne opened this issue 10 months ago • 4 comments

cedric-anne avatar Jan 22 '25 11:01 cedric-anne

PHP files shouldn't be in the public directory at all

This is only to support legacy scripts. There is a lot of plugins that have PHP files outside their ajax or front directory. They should probably review them to transform them into Symfony controllers, but handling them would permit to give more time to plugin developpers to refactor their code.

I see no good reason to support ".js.php" types of assets.

I agree that having JS files rendered by PHP is not really a good practice, but I think trying to filter resources depending on their type is not our job. As long a a plugin developer puts a resource in the public dir of its plugin, then it clearly indicates that this resource must be public. For instance, the gappessentials plugin has a apirest.php script in its root directory (https://github.com/ticgal/gappessentials/blob/master/apirest.php), and moving it in the public dir of the plugin to make it public permits to not have to change any URL in the applications using this endpoint.

Anyway, I will change the name of the resource to mypluginapi.php. It will be a better example.

cedric-anne avatar Jan 22 '25 12:01 cedric-anne

Masbe should we just inform users that it's not a god practice? For now, the main problem is we do not have any existing alternative to propose.

trasher avatar Jan 22 '25 13:01 trasher

Masbe should we just inform users that it's not a god practice? For now, the main problem is we do not have any existing alternative to propose.

We have to write a documentation about how to create a plugin Symfony controller to be able to add a note indicating that legacy scripts should be refactored. We also have to write a documentation indicating that we have some generic controllers (not yet completely finished) and how to use them.

I guess both should be done in separate PRs, but we can keep the current PR in draft mode for the moment.

cedric-anne avatar Jan 22 '25 13:01 cedric-anne

If this is only for scripts that were in the root of a plugin folder and nothing else like the inc and src folders, then I think I misunderstood and it needs clarified in the documentation.

cconard96 avatar Jan 22 '25 13:01 cconard96