Why themes/ is not in protected/ ?

Maybe I am missing something or doing it wrong in my app… but I don’t understand why views for the default theme are protected and the themes are not.

I mean, by default we have:



but… when themeing, we have


I would say that theme views should go to protected/ as well.

I know that there is CThemeManager::basePath that can be changed, but I am asking here out of curiosity…:)

Oh really ?

The themes are in the root because their assets needs to be directly accessible via url, like :


in my viewport

By default coding such as default view/layout better put in protected directory because once who know yii packages structure and naming, then guess file in such folder easy.

By customer coding such as theming, much of structure and naming is different in different themes and beyond scope of basic security

Perhaps, default view or theming is ok not in protected folder, in other framework can be add by YOURSELF

Yii having CAssetManager that is a Web application component that manages private files and makes them accessible by Web clients, that maybe wat u looking for

Themes are in webroot, because they containt web assets that need to be accessible with web browser (CSS, Js, images, etc). Views are in same location to make themes consistent and allow easy moving theme from one project to another (you just copy single directory).

To make it more secure you can put .htaccess in views subdirectory of theme with “Deny from all”, so view files won’t be accessible with http request. htaccess file will work in Apache, for other webservers you will have to configure access restrictions elsewhere…

Yes. Really.

Obviously the assets need to be accessible, and that’s why I asked about VIEWS.

As I said before, without using themes, you have assets in /assets or outside /protected.

And you have the views inside protected.

So… the answer is there is no reason for this to be inconsistent, apart from putting it into one bag with the assets of the themes…

If your assets are in one part of the website, and the views in another part, this beats the idea of theming, isn’t it ?

I mean, when you think at themes, you think at the entire suite, css + js + images + views in a SINGLE place.

If it were after me, your question makes no sense at all, you ask something obvious.

I can second the wish to use themes but have the theme views in protected. In my app, I have a default theme that s oriented towards desktop users. However, it has turned out to be not so good on my android phone, so I created a mobile theme which to most extent is just a css file but for the main view it would make sense to use a different view.

I ended up not using the built in theme framework and instead have if-statements in my code that output the "default" theme in different ways depending on which theme that is selected in my own theme selector component. This way I can add tweaks here and there to the HTML output while doing most of the customization in a css file in the usual place.

why not adding a .htaccess file in your theme/views folder to deny web access(if for browser users) or have a statement like:

<?php if(!defined('YII_PATH')) exit('No direct script access allowed!');?>

at the beginning of each view file ?

Yii’s “protected” folder is “protected” by htaccess so there’s no reason why you wouldn’t do it for your theme views.

So, having all these said, once again, what’s the reason why not using themes if you really need them ?