From 63d9dec120b1835e9b438035933b28aedc69d3da Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Tue, 2 Jan 2024 15:20:50 +0100 Subject: [PATCH] Documentation: Add documentation about setting 'block_my_files_access' to security.html --- documentation/security.html | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/documentation/security.html b/documentation/security.html index 1d13a688e6..21b6e5524a 100755 --- a/documentation/security.html +++ b/documentation/security.html @@ -197,7 +197,27 @@ This will prevent direct access to your settings and make it seem totally the sa this way (there is an exception for that). We believe that these resources do not contain confidential information. If you *DO* have confidential information in images, CSS or JavaScript files, you will need to update - these rules to suit your needs. + these rules to suit your needs.
+
+

Access to "personal" files

+ In Chamilo 1.*, it is possible to upload files to one's "personal" folder + through the social network page, or through any upload popup that allows + you to choose the file destination (and you select your personal folder).
+
+ Due to the development background in Chamilo, these files are then directly + accessible by anonymous users, which can lead to personal data leaks. This + has been left in this mode by default because many teacher users had used + this option to share common images between different courses and blocking + the feature would have meant public courses would not have shown the given + images.
+
+ To avoid this issue and make files accessible *only* to authenticated users, + please set the following option to 'true' in configuration.php:
+
+ 
+    $_configuration['block_my_files_access'] = true;
+ This will prevent anonymous access, but will not prevent access from other + authenticated users.

Disable webservices