Security and privacy

For reference:

http://docs.moodle.org/en/Creating_Moodle_site_data_directory

I have changed my apache httpd.conf to include:

<Directory "C:\wip\moodle-mooching\moodle-data">

Order allow,deny

Deny from all

</Directory>

This correctly serves a 403 forbidden, but still fails to work with the Moodle installer.

For development, I just create the config.php file by hand when I install Moodle (you can start by copying config-dist.php and then editing it). That will let you install Moodle. Then I just ignore the insecure dataroot warning on the admin page.

Quick way out of the moodledata security impasse! 

This has taken up the past EIGHT hours of my day and below is how I quickly solved the problem, with the help of my hosts 1and1.  Hopefully this will save others the sheer torment of an installation that will not proceed!!  I am on a linux shared server and do not have access to levels above my webroot (i.e. I can get into, but cannot see above, my htdocs/public_html folder).  I am not alone because I've been reading all the posts!

Skippable-rant: The web is full of people frustrated with Moodle and with their hosts because of this particular installation impasse.  It is utterly ridiculous that Moodle is configured to install in a way that will be defeated by most of the cheaper web hosts where access beyond the webroot is disallowed. Especially when the solution below is so simple.  Why on Earth is it not mentioned in the installation instructions!  

First, I had tried all the other offered solutions which have worked for some people but not for me: changing moodledata permissions to 750, 755, 700 etc; creating a .htaccess file etc.  No good.

My hosts 1and1 responded quickly (less than one hour) with the following suggestion which I am certain would also work on other hosts:

Regarding your Moodle installation, please change the destination of your [mydomain.co.uk] domain to "/moodle" to resolve the problem in the moodledata folder section. After changing the destination of the domain, please give it about 3-5 minutes for the server to refresh and after that, proceed with the installation. To change the destination of the domain, please follow the steps provided in the link below.

http://faq.1and1.co.uk/domains/domain_admin/domain_dest/2.html

As I say, this worked, and would work similarly for other hosts I am sure.  I chose to point my domain at moodle, as they suggested.  Obviously, this will not be the solution everybody wants.  But there is the option to create another folder for the domain to point at, and put moodledata alongside it and moodle itself (and any other sites using the same domain) inside it.  This creates a level of invisibility above the moodle folder that satisfies the installer!

This would work (with your domain configured to point here *) if you want to run your moodle as http://yourdomain.com/moodle:

1. /htdocs (no access above this point)
   1. /magicfolder1*
      1. /moodle
      2. /otherwebsite1
      3. /otherwebsite2
   2. /moodledata

In my case, my moodle is now to be found at http://mydomain.co.uk/ which works fine for me:

1. /htdocs (no access above this point)
   1. /moodle*
   2. /moodledata

Kind of obvious when we think about it!  So somebody with the permissions please add it to the installation instructions!

Paul