Why is "system" under the web root?

[eluser]Dan Hulton[/eluser]
Your basic CodeIgniter installation looks like:

- index.php
- .htaccess
- /system

This means that all the files in /system are accessable by anyone with some knowledge of CodeIgniter's structure. Heroic measures have been taken to ensure that even though people can access these files, no interesting data will be returned. But why were such heroic measures taken, when the alternative is clear, and far, far simpler:

- /public
--- index.php
--- .htaccess
- /system

Then go into index.php and change the $system_folder variable to "../system". Finally, point your webserver at the new /public directory and voila - no enterprising hackers may access your system folder.

You can take it further, and remove all those wasteful index.html files, and even further still by removing " if ( ! defined('BASEPATH')) exit('No direct script access allowed');" from all your PHP files, but I leave that as an excersize for the reader.

The real question is: Why is this not the format in which CodeIgniter is distributed?

[eluser]Randy Casburn[/eluser]
Hi Dan, A few reason I would guess...

1) Not everyone has access to the file structure above web root at their hosting company.
2) Some folks just think it's a pain in the butt to maintain when the system is outside the root ( don't shoot _me_ )
3) Some folks don't know what spiders actually are doing
4) :question:

Randy

[eluser]Pascal Kriete[/eluser]
4) You could distribute it nested 20 directories deep and put big red stickers all over it saying "move this", some numbnuts would still put it in the webroot. It's a failsafe, and it's very convenient for when you're writing a distributed app that non-programmers may install and use.

That said, I do believe most of the people here move their system folder.

[eluser]Dan Hulton[/eluser]
#1 is particularly compelling actually, thanks.

Though it would be nice if there were an explicit part of the installation instructions recommendng and outlining this practise. =)