Ensuring system security
Configuring access to dataroot
In the Notifications screenshot earlier in the chapter, you probably spotted the warning that the
dataroot directory is directly accessible via the internet. Moodle requires additional space on a server to store uploaded files, such as course documents and user pictures. The directory is called
dataroot and must not be accessible via the web. If this directory is accessible directly, unauthorized users can get access to content.
$CFG->dataroot must not be accessible via the web!
dataroot from being accessible, move the directory outside the web directory (ensure not to mangle permissions) and modify
config.php accordingly by changing the
In externally hosted environments...