I am developing a theme for my journal, and I would like to know if there are any security issues introduced when modifying core files stored in siteroot/lib/pkp/templates/common?
Specifically I want to copy some of the core navbar display code and put it into the footer. I want this code to be dependent on a theme (so the default theme will not be altered), by putting the core footer display code from siteroot/lib/pkp/templates/common/footer.tpl, into its own custom theme file.
Thus the footer will be completely displayed from one file located here:
This would mean that core code that makes calls to the database would be stored in this directory, and I do not know if that creates security problem. If it does, I could come up with a work around keeping core code intact.
As a general note, never expose anything in webroot which you would not want the world to see.
Note that your site configuration is actually a PHP file (config.inc.php) and it simple exits without displaying anything. This means if someone requests the file directly, they just get a blank response.
If you were to put database credentials in a non-executable file (such as templates), and if these templates are exposed within webroot (as it the default), you are creating a security risk. Template files could be downloaded directly over the public web.
In the default install, this is not a security concern because these templates only contain public information (which is already available to anyone on GitHub), but if you make changes, be sure your changes are intended to be public as well (or are appropriately protected from prying eyes).