What counts as a non-web-accessible location?

Just curious, what are the best practices as far as creating a storage directory for uploaded files?

Directions say:
3. Create a directory to store uploaded files (submission files, etc.)
and make this directory writeable. It is recommended that this
directory be placed in a non-web-accessible location (or otherwise
protected from direct access, such as via .htaccess rules).

but this doesn’t give a ton of guidance on who needs access or what kind of access is required. What does a good file structure look like that seems to be working for everyone, assuming my ojs is in /var/www/my-domain?


Hi @thermos,

Can you please indicate the version of OJS you are using?

PKP Team

Hi Roger,

Sorry! I am on 3.3 and ubuntu 20.4 + apache2

Thanks :slight_smile:

Hi @thermos,

Effectively this means that it shouldn’t be in the same folder as where the core OJS files are stored. So, if in ubuntu your web root is /var/www/html/ojs - you’ll want to ensure that it is not in that same /ojs directory (or even /html). The README file for OJS (https://pkp.sfu.ca/ojs/README) gives some explanation as to why this is necessary:

* Install OJS so that the files directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server. Restrict file permissions as much as possible. Automated backups of this directory should be roughly synchronized with database backups.

PKP team

Hi Roger,
Thanks. I guess I’m wanting to make sure that it was that this directory not supposed to be in the same folder as core OJS files as opposed to “not web accessible.” For example, my /var/www/html file is web-accessible, but it’s also not a subdirectory of ojs. It sounds like I should put this directory inside my /var/www directory, and that this is a best practice.

Hi @thermos & @rcgillis,

To be clear – putting your files directory inside /var/www/html is not safe! A malicious user can construct a URL to directly download and/or execute a file inside that directory.

It’s hard for us to come up with specific guidance, because each server is different, but putting the files directory somewhere like /home/myuser/ojs-files would be an example of a safe deployment, since it cannot be accessed via the web server.

Alec Smecher
Public Knowledge Project Team

1 Like