From 8cf8f9ef078b31473e9edcb4b9a61a80e3152c0c Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 30 Jan 2019 21:34:04 -0800
Subject: Disable by default plugin installer

- There is no code review or any approval process to submit a plugin.
- Anyone can submit a backdoor as plugin.
- This is up to the Kanboard instance owner to validate if a plugin is legit.
---
 app/constants.php  | 2 +-
 config.default.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/constants.php b/app/constants.php
index af26856f..21f911f7 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -21,7 +21,7 @@ defined('CACHE_DIR') or define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache'
 // Plugins settings
 defined('PLUGINS_DIR') or define('PLUGINS_DIR', ROOT_DIR.DIRECTORY_SEPARATOR.'plugins');
 defined('PLUGIN_API_URL') or define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
-defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', true);
+defined('PLUGIN_INSTALLER') or define('PLUGIN_INSTALLER', false); // Disabled by default for security reason
 
 // Enable/disable debug
 defined('DEBUG') or define('DEBUG', strtolower(getenv('DEBUG')) === 'true');
diff --git a/config.default.php b/config.default.php
index 59a1f346..d845b277 100644
--- a/config.default.php
+++ b/config.default.php
@@ -24,8 +24,8 @@ define('PLUGINS_DIR', __DIR__.DIRECTORY_SEPARATOR.'plugins');
 // Plugins directory URL
 define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
 
-// Enable/Disable plugin installer
-define('PLUGIN_INSTALLER', true);
+// Enable/Disable plugin installer (Disabled by default for security reason)
+define('PLUGIN_INSTALLER', false);
 
 // Available cache drivers are "file" and "memory"
 define('CACHE_DRIVER', 'memory');
-- 
cgit v1.2.3