Skip to content

Block web access to .env and add note about Lokalise API key#1922

Merged
osma merged 2 commits intomainfrom
fix-env-access
Feb 4, 2026
Merged

Block web access to .env and add note about Lokalise API key#1922
osma merged 2 commits intomainfrom
fix-env-access

Conversation

@osma
Copy link
Member

@osma osma commented Feb 4, 2026

Reasons for creating this PR

We have received reports that the Lokalise API key in .env has leaked. However, the key is read-only and intended to be public, as documented in Translation in the wiki. This PR adds a note to the .env file stating that the key is public. In addition, this PR makes Skosmos installations more secure by preventing Apache web access to files like .git and .env, which could potentially contain secrets (even though the default key in .env is not a secret).

How to test: try accessing http://localhost/Skosmos/.env (or similar URL), it should now give a 403 Forbidden error.

Link to relevant issue(s), if any

none

Description of the changes in this PR

  • add note to .env
  • add mod_rewrite rule blocking Apache web access to files like .htaccess and .env

Known problems or uncertainties in this PR

none

Checklist

  • phpUnit tests pass locally with my changes
  • I have added tests that show that the new code works, or tests are not relevant for this PR (e.g. only HTML/CSS changes)
  • The PR doesn't reduce accessibility of the front-end code (e.g. tab focus, scaling to different resolutions, use of .sr-only class, color contrast)
  • The PR doesn't introduce unintended code changes (e.g. empty lines or useless reindentation)

@osma osma added this to the 3.1 milestone Feb 4, 2026
@osma osma self-assigned this Feb 4, 2026
@osma osma added the bug label Feb 4, 2026
@osma osma requested a review from miguelvaara February 4, 2026 13:55
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link

codecov bot commented Feb 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.08%. Comparing base (3ef6d58) to head (184e438).
⚠️ Report is 49 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #1922      +/-   ##
============================================
- Coverage     71.03%   70.08%   -0.95%     
+ Complexity     1694     1670      -24     
============================================
  Files            34       34              
  Lines          4502     4393     -109     
============================================
- Hits           3198     3079     -119     
- Misses         1304     1314      +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

miguelvaara
miguelvaara approved these changes Feb 4, 2026
View reviewed changes
Copy link
Contributor

@miguelvaara miguelvaara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as intended and well done in every way. Can be merged! Thanks! :-)

@osma osma merged commit a450485 into main Feb 4, 2026
33 of 39 checks passed
@osma osma deleted the fix-env-access branch February 4, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miguelvaara miguelvaara miguelvaara approved these changes

Assignees

@osma osma

Labels

bug

Projects

None yet

Milestone

3.1

Development

Successfully merging this pull request may close these issues.

2 participants

@osma @miguelvaara