Contemplate™ Web Templating System  


 

Latest release

Contemplate 2.0.2
16 Nov 2011
download now!





Security

The purpose of Contemplate is to display content from your web server, but there are some files and data that you will want to keep private. This page explains how Contemplate controls access to your content.

Limit file access

The config/constants.php file contains a READ_FILES_FROM setting that is a comma-delimited list of directories in your website. Contemplate will only read files from these directories. By default, the value is set to "../contemplate/config/,../content/,../templates/". This allows Contemplate to read its own config files (constants.php and pages.txt), plus the content and template files you create. You can list additional directories here if you want to keep your functionality scripts in a separate directory, or organize your files differently. Please do not put any files into these directories that you do not wish the public to see!

A related setting is READ_FILES_RECURSIVELY, and this setting is enabled by default. If you disable this setting, Contemplate will not be able to read files from subdirectories of the READ_FILES_FROM directories.

Limit database access

If you store any of your content in a database, the CONTENT_DATABASE_TABLES setting works similarly to the READ_FILES_FROM setting. You can list your content tables here, and Contemplate will only read from those tables. This allows you to safely store your content into one or more tables of your database, without inadvertently exposing the rest of the database.

Limit config access

By default, a site visitor who knows the Contemplate file structure can browse to contemplate/config/pages.txt to view your page definitions. This would reveal pages you've built but aren't ready to release yet, and if you link to functionality scripts in separate files, it would reveal the locations of those files. So, it's a good idea to block access to the pages.txt file.

The Contemplate download includes a sample htaccess file with an Apache <Files> directive to block access. If you move the htaccess file to your website root directory (and add a dot to the beginning of its filename), or copy this directive into an existing .htaccess file, the pages.txt file will be hidden from public view.

The config/constants.php file does not need this kind of protection, because if a visitor browses to it, it will execute on the server rather than displaying its contents.

Reporter password

By default, a site visitor who knows the Contemplate file structure can browse to contemplate/reporter/reporter.php to view your traffic reports. You can password-protect your reports by entering a password for the PASSWORD setting in config/constants.php. Once this is set, the Reporter will prompt users to enter the password before displaying the reports.

 
Contemplate is developed by Arlo Leach.