Application¶
The behavior of PHP code often depends strongly on the values of many configuration settings, including fundamental changes to things like how errors are handled.
We defined some sane configuration defaults in our installation instructions. Namely, these settings are defined in the PHP pool
(/etc/php7.4/fpm/php-fpm.conf) and they are prioritized over those
defined in /etc/php/7.4/fpm/php.ini. Be aware that multiple configuration
files are read when PHP starts up, therefore it is a good practice to check the
final configuration state when you are deploying AtoM. You can use
phpinfo() for that
purpose.
See also
There are certain settings in PHP that could be tweaked as a security measure
but they may have unexpected results in AtoM. For example, you may be tempted to
disable allow_url_fopen but that would make impossible for AtoM to fetch
digital objects from remote resources. These settings only seem convenient for
hosting providers running untrusted code from their users or willing to limit
their abilities in runtime.
Making AtoM read-only¶
In some cases, you may want to prevent users from being able to log into the application via the user interface - for example, if you are running a separate AtoM instance as a read-only front end, while maintaining a read/write site internally and using a replication script to copy data to the public site periodically.
Tip
Artefactual maintains a public replication script that can be used to support a two-site deployment, as in the example above. For more information, see:
There are two places in AtoM where you can configure read-only mode - be sure to check both locations.
Tip
Before you do, there is also a user interface setting that can be set to hide the login button - you might want to enable this before disabling login. See:
The first is an environment variable defined in the PHP pool set up during
installation. The location of this file may vary depending on your PHP
version and installation method, but typically for PHP 7.4, you can find this
file at /etc/php/7.4/fpm/pool.d/atom.conf.
The file contains an environment variable called ATOM_READ_ONLY. To put
AtoM into read-only mode (so login is disabled), change this value to “on,” like
so:
env[ATOM_READ_ONLY] = "on"
You will need to restart PHP-FPM after making this change. See:
There is also a setting found in the config/app.yml configuration file. Change this value to:
read_only: true
Once again, you will need to restart PHP-FPM after editing tihs file.
Important
The environment variable located in the PHP pool takes precedence over this
config/app.yml configuration file, so changing the setting here, but
not also in the PHP pool may not prevent login. We recommend changing
the value in both places.
AtoM security panel settings¶
AtoM’s user interface also has some security settings that can be configured by an administrator, such as the ability to require strong passwords, or limiting login to a specific IP or range. For more information, see: