@florianjacob opened this Issue on April 27th 2017 Contributor

From https://github.com/piwik/piwik/issues/1453#issuecomment-48299263 by @robocoder, I learned that you should be able to overwrite PIWIK_USER_PATH via bootstrap.php to move the writable piwik folders, config and tmp, to a read-write directory, and keep the rest read-only.

I found out that I need to copy the config folder to PIWIK_USER_PATH, and tmp is created automatically.

Problem is: Afterwards, there are errors about missing plugin folders and unfound stylesheet files. I investigated the code and found suspicious uses of PIWIK_USER_PATH in core/AssetManager/UIAssetFetcher.php and core/AssetManager/UIAssetMerger/StylesheetUIAssetMerger.php which look like they should be PIWIK_INCLUDE_PATH. I tried to patch them to PIWIK_INCLUDE_PATH, I can load the page then, but it renders without stylesheets. 😢 In that state, I could not find any error messages, so I don't really know what's not working.

https://piwik.org/docs/include-piwik-in-your-project/#bootstrap-php-execute-custom-code-before-piwik-runs notes that using PIWIK_USER_PATH and PIWIK_INCLUDE_PATH “facilitates a ‘best practice’ of preventing direct access to PHP files.” – I could not find concrete examples on how and what exactly to do to achieve this, e.g. whether I also should copy plugins or so.

Related: https://github.com/piwik/piwik/issues/10854

Steps to reproduce:

  1. download piwik in a new directory from your webserver, e.g. /var/www/piwik
  2. add bootstrap.php with e.g.:
    <?php
    define('PIWIK_USER_PATH', '/var/lib/piwik');
    ?>
  3. create /var/lib/piwik and make it writable from the webserver
  4. copy /var/www/piwik/config into /var/lib/piwik
  5. access piwik

Result:

Piwik encoutered an error: An exception has been thrown during the rendering of a template ("The ui asset with 'href' = /var/lib/piwik/plugins/Morpheus/stylesheets/base/bootstrap.css is not readable").

I don't know how to get a working PIWIK_USER_PATH, seems like there is more to it that the presumably wrong use of PIWIK_USER_PATH in AssetManager classes which I do not understand.

(Not important for the problem, but for people who find this through search: I'm trying to do this to create a Nix package and NixOS module, where I have to separate statefull and stateless files)

@robocoder commented on April 27th 2017 Contributor

In hindsight, PIWIK_USER_PATH was a kludge as it accommodated the ability to drop piwik into a web folder and treat that as the doc root, instead of doing the right thing from the beginning.

Nowadays, it would be more conventional to have index.php and piwik.js in a public folder and force the user to set the DocumentRoot correctly.

@florianjacob commented on May 2nd 2017 Contributor

@robocoder I understand your suggestion with a public folder, it sounds like something I want as well. 😄 Thank you!
Can I achieve this setup by creating a public folder like this myself, move the relevant files in there, and use PIWIK_INCLUDE_PATH to point outside of public?

But even then, I think I need something like PIWIK_USER_PATH to separate local state files from files that can be read-only and get upgraded on a new release only.

I found out my other problem after patching PIWIK_USER_PATH to PIWIK_INCLUDE_PATH were resulting from whitespace in my bootstrap.php, and vanished after I found them and cleaned up.

@florianjacob commented on May 2nd 2017 Contributor

I wrote a PR at #11661 which seems to fix all problems I had with PIWIK_USER_PATH- at least I could not find something else that does not work.

This Issue was closed on July 25th 2017
Powered by GitHub Issue Mirror