Your symlink is a good idea, but I would suggest adding a .htaccess inside it to protect you in case to ensure that the directory has the NoExec flag (or equivalent, if you’re not using Apache).
Although unprivileged users can’t upload to the press/publisher library, if you did have a malicious user with a Journal Manager account, they could presumably upload a script file to that directory and then execute it via the symlink. A NoExec flag would protect against that.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher
How do I link to files stored in Publishers Library? In OJS 2 we could give access to the public folder under Files Browser and link to the content making the link open for readers who wasn’t logged in. I’m looking for a similar solution in OJS 3, but because the Files Browser link isn’t a part of OJS 3 I’ve hoped to use the Publisher Library. Unfortunately I haven’t had any success. I’ve tried the following link: /$$$call$$$/api/file/file-api/download-library-file?libraryFileId=14" but it only gives you access if you’re logged in.
Best
Niels Erik
I think this feature is not available in OJS 3 any more – the publisher library is only for internal (not public) use. I am afraid that only way to provide any public files for download in the OJS 3 would be to upload them directly to the server, e.g. to the OJS public folder.
We will for sure work on a new solution for it, but I do not know when…
@asmecher@bozana
The bug, that OJS doesn’t delete the files on the server, when they are deleted in Settings > Workflow Settings > Publisher Library
still remained up to now (OJS 3.1.2-1)!
Where to post a bug report (bug issue ticket) on this?