summarizing, web2py is just an executable. It protects you by default from directory traversal attacks. Everything but "static" folder is dinamically created by the executable. You may want to serve "static" with your webserver of choice to relieve the burden off of web2py shoulders, but ultimately the only thing needed is the user running the executable being able to read and write in the web2py folder. If you're running a multi-tenant server with multiple users running multiple web2py processes, sorry, you NEED to be a sysadmin. If you're running just your site, you don't need to know anything else.
Ultimately, the executable needs to read everything in web2py, plus write in any of those folders: - appname/cache --> if you use cache.disk - appname/databases --> if you need to run migrations, with migrate=False isn't needed - appname/uploads --> if you app doesn't set another folder to upload files to for an "upload" Field not backed by a database - appname/static --> if you use static files minifications - appname/sessions --> if you use disk-backed sessions - appname/languages --> if you run any page for the first time and has some T() strings that aren't there already (and didn't set ) if you want to see it reversed, the only places where web2py at runtime on production doesn't need write permissions in any scenario is - appname/models - appname/controllers - appname/views -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.