Issue #932110 by dcam, Albert Volkman, jurgenhaas, marji, David_Rothstein: Add note to settings.php about updates and security

1 files changed, 13 insertions, 5 deletions

diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 0ae34a2bb..7071a5820 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -510,13 +510,21 @@ $conf['404_fast_html'] = '<html xmlns="http://www.w3.org/1999/xhtml"><head><titl
  *
  * The Update manager module included with Drupal provides a mechanism for
  * site administrators to securely install missing updates for the site
- * directly through the web user interface by providing either SSH or FTP
- * credentials. This allows the site to update the new files as the user who
- * owns all the Drupal files, instead of as the user the webserver is running
- * as. However, some sites might wish to disable this functionality, and only
- * update the code directly via SSH or FTP themselves. This setting completely
+ * directly through the web user interface. On securely-configured servers,
+ * the Update manager will require the administrator to provide SSH or FTP
+ * credentials before allowing the installation to proceed; this allows the
+ * site to update the new files as the user who owns all the Drupal files,
+ * instead of as the user the webserver is running as. On servers where the
+ * webserver user is itself the owner of the Drupal files, the administrator
+ * will not be prompted for SSH or FTP credentials (note that these server
+ * setups are common on shared hosting, but are inherently insecure).
+ *
+ * Some sites might wish to disable the above functionality, and only update
+ * the code directly via SSH or FTP themselves. This setting completely
  * disables all functionality related to these authorized file operations.
  *
+ * @see http://drupal.org/node/244924
+ *
  * Remove the leading hash signs to disable.
  */
 # $conf['allow_authorize_operations'] = FALSE;