Disallow uploading a file to root folder?

[Alex-Jordan]

This is another idea I have that I want to check in about before I try to implement it. There is still one or two ways an instructor can overwrite course.conf, even when they do not have permission to do so. This is more and more problematic for me both at PCC and with Runestone. What I would like to do is make it so that in File Manager, it's just not possible to upload a file. You could still create a folder. But the system just won't allow you to upload. Maybe it would allow you if you have a new special permission, so that admin level users could still do things.

I hesitate because maybe this solves nothing if there is still a way for users to effectively edit their course.conf and simple.conf files. And if that's the case, doing what I am thinking of would just be adding clutter.

[drgrice1]

I do not think the functionality of uploading a file should be removed. Perhaps a special permission could be added that allows uploading by default, and on your servers, you can change that.

Better though would be to properly implement this. The framework is now all there to make it so that there is no way that an instructor can modify those files specifically. Although there is more that should be done. Currently an instructor can delete things they should not delete, like any of the required directories (specifically the templates directory).

[Alex-Jordan]

One thing that can be done currently is uploading a tgz file that unpacks and overwrites course.conf.

[drgrice1]

Yes, and that one can be fixed now. With the change from using shell commands to using Perl modules, we can now control what files are allowed to be overwritten with much finer granularity.

[Alex-Jordan]

OK, that might solve all my problems. Do we already prevent tar/zip from unpacking with relative paths that can back up in the tree? I think so, but just checking.

[drgrice1]

Yes, we prevent that already.