I have installed ojs in my own server. In the installation process, it is required to create a folder that is writable by php (apache = www-data), but not accessible from the browser. The folder is used to save uploaded manuscripts, that must not be viewable for the public, but must be readable by the software itself. I changed httpd.conf file to deny listing of the files in the folder, but the problem does not seem to be completely solved. In fact, although the file names are random, if a malicious or curious user has the exact file name of the original manuscript, she/he can download the file. Please note that there are numerous such manuscripts now in my server (ubuntu 12.04.4). Is there any way I can deny them from downloading (at least for unauthorized users not registered as editor)?
The README told you what to do. The relevant parts:
* Install OJS so that the files directory is NOT a subdirectory of the OJS installation and cannot be accessed directly via the web server. 3. Create a directory to store uploaded files (submission files, etc.) and make this directory writeable. It is recommended that this directory be placed in a non-web-accessible location (or otherwise protected from direct access, such as via .htaccess rules).
This means the files directory you use for uploads should not be under the
DocumentRoot. Of course you have to specify its location in
config.inc.php if you already completed the installation.
[files] ; Complete path to directory to store uploaded files ; (This directory should not be directly web-accessible) ; Windows users should use forward slashes files_dir = files
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.