To me it looks like you haven't understood the purpose of the security check and the vulnerability it is protecting against.

Hi @brianteeman as i know, the security check is there to protect the installation from outside, right?

No it's much more than that

Of course @brianteeman , and there are also other checks. But this PR did just effect the dbhost check. And it would be very exotic if we check also the dbhost if the site ist http protected. So, why shouldn't we simplify it on protected installations?

Did now also added the changes for the documentation in my PR comment. Documentation in English and German if this help. If wished, we could write it to the official documentation site: https://docs.joomla.org/J3.x:Secured_procedure_for_installing_Joomla_with_a_remote_database

@SniperSister one for JSST to review

corrected Typo in Title.

@Didldu-Florian To me the idea looks ok but can we move that checks (all three) to a separate private method? That would keep the code simpler to understand as this checks should not all placed in the initialise method so we keep that small and simple to read. Thanks.

@zero-24 I'm glad you're okay with this. Did outsoureced the functionality for the checks to two new methods called checkHostSecurity() and checkSecurityFile(). Did also renamed some names called remoteDBFile to securityFile, because i think it is more understandable. Because we are at the InstallationModelDatabase so think its clear which file and it's more associated to the method names. And some improvements in the check order logic. Hope the community like it ;)

The new methodes are called during initialise()

// Save host checks
if ($this->checkHostSecurity($options) == false)
{
        $this->checkSecurityFile();
}

Hope it is more clear

This does not work as expected. The check can be skipped. The method initialise needs to return false in case of an error / not matching file ;)

@zero-24 sorry, can't repoduce your concerns. Did tested again and it works. By the, way, the method initialise returns JDatabaseDriver or false on failure. Same as it worked before my PR.
Can you describe your concern in more detail?

Please try hardset $statusCode = 401; or $statusCode = 200; at line 216 and be sure db_host is not localhost.

HTTP 200 >The securityFileCheck will be required.
HTTP 401 >The securityFileCheck will be skipped.

@Didldu-Florian yes that part is working (401 aka .htaccess)

but when the check should be done you can just hit "install" and it starts doing things. (even that it stop working on another issue)

Basically that check in the initialise method should make sure that the validation fails and the user can't go any step forward. For that reason initialise needs to return false when the checks did not match on a host where we require to check it ;)

@zero-24 Oh dear! You are right, that was lost during outsourcing methods. My fault.
Did fixed it with c0a90dd Now the logic is same as before on return.

@Didldu-Florian it it just allowed to return false in case there is a error ;)

Else you can't move forward as the method return void just before we try to setup the database ;)

// Save host checks
if ($this->checkHostSecurity($options) === false)
{
        if ($this->checkSecurityFile() === false)
        {
                return false;
        }
}

This should do the trick ?

@zero-24 Thanks, done ;)

I have just added the missing= for the typesafe check. Looks good from here than. (the issue @Quy mention should be fixed too)

@zero-24, @Quy __DEPLOY_VERSION__ added ;)

? thanks @Didldu-Florian

Replaced by PR #26840