Improve documention on access to templates and static_files.

rouilj · rouilj · commit 415182b12cb0 · 2022-11-30T02:22:21.000-05:00
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -52,6 +52,9 @@ Fixed:
 - issue2551195 - port scripts from optparse to argparse (Ralf Schlatterbeck)
 - issue2551246 - mitigation, document how -u doesn't work for
   roundup-admin. (John Rouillard)
+- Document better that files in the template or static_files
+  directories accessed via @@file are available to any user with the
+  url.
 
 Features:
 
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -2309,6 +2309,16 @@ Serving static content
 See the previous section `determining web context`_ where it describes
 ``@@file`` paths.
 
+These files are served without any permission checks. Any user on the
+internet with the url can download the file.
+
+This is rarely an issue since the html templates are just source code
+and much of it can be found in the Roundup repository. Other
+decoration (logos, stylesheets) are similarly not security sensitive.
+You can use the static_files setting in config.ini to eliminate
+access to the templates directory if desired.
+
+If a file resolves to a symbolic link, it is not served.
 
 Performing actions in web requests
 ----------------------------------
diff --git a/roundup/configuration.py b/roundup/configuration.py
@@ -991,13 +991,16 @@ def str2value(self, value):
             "Path to the HTML templates directory."),
         (MultiFilePathOption, "static_files", "",
             "A list of space separated directory paths (or a single\n"
-            "directory).  These directories hold additional static\n"
-            "files available via Web UI.  These directories may\n"
-            "contain sitewide images, CSS stylesheets etc. If a '-'\n"
-            "is included, the list processing ends and the TEMPLATES\n"
-            "directory is not searched after the specified\n"
+            "directory).  These directories hold additional public\n"
+            "static files available via Web UI.  These directories\n"
+            "may contain sitewide images, CSS stylesheets etc. If a\n"
+            "'-' is included, the list processing ends and the\n"
+            "TEMPLATES directory is not searched after the specified\n"
             "directories.  If this option is not set, all static\n"
-            "files are taken from the TEMPLATES directory."),
+            "files are taken from the TEMPLATES directory. Access to\n"
+            "these files is public, it is not checked against\n"
+            "registered users. So do not put any sensitive data in\n"
+            "the files in these directories."),
         (MailAddressOption, "admin_email", "roundup-admin",
             "Email address that roundup will complain to if it runs\n"
             "into trouble.\n"
