Support

Ever since Joomla! 1.5 –released 18 (eighteen) years ago in 2007– the recommendation has been that extensions should place their static media files in a subdirectory of the media folder named after the extension. This has always been a security-focused recommendation. Do note that Joomla! 1.5 did not enforce the naming of the media subdirectory. Joomla 1.6/1.7/2.5 did enforce the naming of the media subdirectory and defaulted to it.

Ever since Joomla! 3.0 –released 13 (thirteen) years ago in 2012– the recommendation was upgraded to a reasonable expectation. In other words, it was reasonably expected and assumed that all extensions which are fully compatible with Joomla 3.x will follow this scheme for placing their media files in a correctly named media subdirectory. While one could work around that, it was strongly discouraged. The old methods for circumventing the use of a media subdirectory were marked as deprecated about ~8 years ago.

As of Joomla! 4.0 –released four and a half years ago in 2021– using a subdirectory of the media folder named after the extension is mandatory for all extensions as a very much intended consequence of introducing the WebAssetManager.

Since Joomla 4.2 –released in 2022– it is also mandatory for templates to place their static media files in a subdirectory of media/templates. This is an intended consequence of child templates.

Since Joomla 5.0 –released in 2023– deviation of these mandatory requirements is considered a show stopper bug of the extension. This is an intended consequence of the public folder feature being introduced. The code to work around the media subdirectory requirement was removed from Joomla.

Helix developers should have known that:

1. for the past 18 years (predating their template's existence) their system template should be putting its media files under media/plg_system_helixultimate.
2. for the past three years their template should be putting its static media files under media/templates/site/TEMPLATE_NAME where TEMPLATE_NAME is the name of the template (without the tpl_ prefix).

Their template is not following Joomla's standards. It violates the static media files placement requirement which is in place for very good security reasons.

The .htaccess Maker will only include default settings which allow extensions following Joomla's very reasonable security standards to function properly, without having to do any configuration changes. Extensions like Helix Ultimate which DO NOT follow Joomla's security standards will always require additional configuration.

Alternatively, JoomShaper should shape up (pun intended) their code so that it follows a Joomla standard that's been around longer than their company or, indeed, Admin Tools itself. If they do that then their template will work without any configuration change whatsoever to the out-of-the-box settings of the .htaccess Maker. It will also allow their users to create child templates, and it would allow them developers to deliver versions of their template compatible with newer Joomla releases faster as there would be one less security control in Joomla they have to figure out how to circumvent every single time there's a new Joomla version. In short, it's absolutely bonkers that for well over a decade they flat out refuse to fix their code to follow Joomla's standards.

Please do check my contributions to Joomla. You'll see I have written large parts of it, and even contributed to its architecture. I did not express an opinion. I gave you facts.

Download Joomla 1.5.0 from https://downloads.joomla.org/cms/joomla15 (note it was released early 2008, nearly eighteen years ago as I already said) and look at libraries/joomla/html/html.php. You will see that script(), stylesheet(), and image() all default to a media subdirectory. That's because the decision to use a separate media directory was taken twenty years ago, in the first Joomla meeting where what ultimately became Joomla 1.5 was planned. As you can see, at this stage it's a recommendation, not enforced.

Download Joomla 1.6.0 from https://downloads.joomla.org/cms/joomla25 (note it was released January 2011, nearly 15 years ago) and look at libraries/joomla/html/html.php. You see that the aforementioned methods now go through self::_includeRelativeFiles which enforces the media subdirectory for all extensions except templates, unless you specify an http:// or https:// URL. This change was made, as you can obviously tell, on purpose. Joomla went from "it's a good idea" to "you should REALLY be doing this". And I know this because I was very actively involved with Joomla at the time, and it's actually thanks to me that enough people banded together to do testing, report bugs, and get 1.6 released.

We have thus objectively established that Joomla has been asking extensions to use the media folder since Joomla 1.5.0 released eighteen years ago and upgraded it to "you should REALLY be doing that" since Joomla 1.6.0 fifteen years ago.

Since you claim to be active in Joomla then you obviously know that the WebAssetManager was introduced in Joomla 4.0.0 and REQUIRES having a media subdirectory for your extension as the path to the JSON manifest file is fixed to the extension's media subdirectory.

We have thus objectively established that Joomla is enforcing the media subdirectory requirement since Joomla 4.0.0 while still providing the old interface for compatibility reasons.

As you can see, I am not anyone to comply with a standard I pulled out of my arse. I am enforcing what Joomla requires. Enforcing Joomla's minimum security requirements for extensions is not unreasonable; it's the bare minimum I should be doing in a security extension.

You are asking me to NOT enforce Joomla's minimum security requirements. No. If I make an exception for one extension, I will have to make exceptions for all extensions. This would result in a product that does absolutely nothing.

I am not a snake oil salesman. If you want to buy sugar pills that cure all disease please look elsewhere. I am here to help willing people make their sites actually safer. I am not going to nerf my product and lose all credibility because a third party company can't be arsed to fix their code to follow the minimum Joomla security requirements for extensions for well over a decade.

Also note that I  am NOT removing your agency in any way, shape, or form. I am NOT forcing you to not use that third party extension. In fact, I am giving you all the necessary options to add exceptions for extensions which are written contrary to Joomla's minimum security requirements for extensions if YOU feel comfortable doing that on YOUR site. I have even documented it.

On the other hand, JoomShaper DOES NOT give you the option to run your sites in a secure way by refusing to follow Joomla's minimum security requirements for extensions for well over a decade.

This ticket is now closed with prejudice.