Forum

Ask, reply and learn. Join the community of Akaunting.

New Discussion

Why is index.php in the root and not in the public folder?

Eivin Landa   ( User )

Commented 3 years ago

Hi,

I'm a developer and I am considering to build modules for akaunting.
I found it strange that the index.php is placed in the root instead of in the public folder as is standard in most modern web applications. The implications of this is that the vendor folder is publicly available leading to potential security risks.

Why is index.php is placed in the root?

I've tried moving it into public and search-replacing all the views with the updated path and it seems to work so for my personal use and development setup I could make it work, but then it breaks again on every update and I have to redo my changes which is not ideal.

I would love to see akaunting as a laravel package instead of a bundle as it is now. It would make developing for akaunting a little bit easier and it would potentially also open up for modules to be composer packages, and be able to take advantage of the strong ecosystem of available packages for laravel.

Is there any hope of seeing akaunting as a laravel package in a future version?

Denis Dulici   ( Admin )

Commented 3 years ago

Hello,

Because the target audience of self-hosted Akaunting are not developers but users that can install a CMS like WordPress, OpenCart, etc. and there is no security risk.

Unfortunately, Akaunting won't be shipped as a package at all.

Regards

Eivin Landa   ( User )

Commented 3 years ago

Thanks for the quick response.
It makes sense to place the index.php in the root to make it easier to install. Unfortunately it does increase the security risk as you then have all the 3rd party libraries exposed in the vendor directory. There might not be any vulnerabilities, but it's difficult to be certain and I would not want to take that risk.

Take the composer/installed.json file as an example: https://akaunting.com/vendor/composer/installed.json

It lists all installed packages with versions and paths for the files. It would be quick work for bots to search for any known vulnerabilities and run exploits if there are any. If you are set on keeping the index in the root I would recommend to configure the webserver (nginx/apache) to restrict access to the app and vendor directories as a hardening measure.

Denis Dulici   ( Admin )

Commented 3 years ago

Here you have it:

https://github.com/akaunting/akaunting/commit/f8ffda26c73e71851f7158fbd68facbc1c8d1950

Please login or register to leave a response.

Showing 1 to 4 of 4 discussions