Site Configuration

Adjusting the default settings

The Mara configuration is contained in the sitecfg/ directory under the site root. Being a file-based CMS, there is no need for any kind of site-specific database settings here. In fact, the defaults will work as they are for many purposes. The main configuration file is siteini.php and this  is an ini-format file of the traditional kind. It is split into various sections, the section headers being between square brackets. Items consist of parameter=value strings, one to a line.

<?php exit ?>
This php statement is to prevent peeking into the file with a browser.
[site]
salt=9553
Don't change this unless you know what you are doing.
sitename=mara
You should give your site a unique name. Alphanumeric and underscores only, no spaces, all lowercase. This is used as an identifier by some plugins, eg Disqus.
cookie=mara_cms
The cookie name should be likewise be unique. Same requirements as for the sitename. If this setting is omitted, the sitename is used. The cookie created is a temporary session cookie, and is created in both viewing and admin/editing modes, although in viewing mode it performs no essential function. If the browser refuses the cookie this will result in the need to login separately on every page you wish to edit.
theme=mytheme
Determines where the default theme will be loaded from. From v4 on, themes re stored under the theme/ directory, each having its own collection of files. There is thus no system default value now, and a valid default theme must be specified in siteini.php. The user may select any other available theme instead of the one you specify here, if the webmaster allows that option.
plugin=plugin
Determines the name of the plugin directory. The option to change this was mainly provided for the sake of hardening. Note that no extensive tests have been done with a non-default value.
default_extension=php
Determines the extension added to names of new files, when none is specified. The default for v4+ is php since this will work on the (dwindling number of) servers which do not support php code in standard html pages. In practice it is probably better to use .htm or .html as the page extension if your server's configuration supports it, since visitors are more familiar with this.
browser_cache=0
A value of 1 allows the client browser to cache javascript and css. This has little effect for site visitors, but will speed up the loading of the editing interface considerably. Ensure that caching is off whilst editing stylesheets or custom javascript, though, or you may see confusing results.
[security]
editkey=login
You add this to the site URL as ?login to enter administrative mode. It is a good idea to change this, since doing so adds to the security of the site, effectively creating a two-factor authentication requirement. Case sensitive, words and numbers allowed, must not contain spaces or punctuation other than an underscore.
keepalive=30
Determines how often a ping is sent to the server when in admin mode but no actual editing is taking place. Prevents timeouts from interfering with your work. Value in seconds. Zero turns the keepalive feature off. No pings are sent in viewing (site visitor) mode, only in editing mode.
timeout=120
Determines how long the server will keep the login alive, in seconds. If it doesn't hear from the client in this time, either in the form of data entry or a keepalive ping, it will log the user out. Should be longer than the keepalive interval. The shorter the timeout the more secure, but the more ping traffic needed. Too short an interval may cause nuisance disconnects on slow or unreliable networks. Zero turns the Mara timeout feature off, although the server may still impose its own session timeout as determined by php.ini. 
harvesting_protection=2
Determines how the online editor will handle situations where text entered into the page contains email addresses in a format vulnerable to harvesting by spammers. Allowed values are 0: No action, 1: Apply simple protection, 2: Refuse to save the page.
allowed_ips=
IP addresses from which site editing is permitted. These can be entered as a complete IPv4 address, or as a partial set of octets, eg 10.20.30 will allow any address from 10.20.30.0 to 10.20.30.254. Null value allows all IP ranges.
prohibited_ips=
IPs or ranges from which editing is disbarred. Takes precedence over allowed ranges. See the Hardening section for more advice on this.
[menu]
mainmenu=tree.mnu
The menu file which is loaded into the lefthand* cascading menu.
* Unless your theme design places it differently, of course.
quicklinkmenu=quicklink.mnu
The menu file which is loaded into the top banner's cascading menu.
multiviews=0
When set to 1, this strips the extension (.htm, .html) from URLs submitted by the system menus. Intended for use in conjunction with the Apache Multiviews option.  Note, if you turn this Mara option on without also activating Multiviews on the server, all menu links will generate 404s.
sidemenu_autoclose=0
if 1, the inactive sections  of the side menu will close when a new section is opened, rather like most top menus do. Opinions may vary as to whether this is desirable on a side menu, or not. Therefore, your choice.
topmenu_timeout=5
The delay in seconds betweeen a top dropdown menu section being opened, and it self-closing in the event of no menu activity. (mouse hover constitutes menu activity so the menu won't close if the user is thinking it over lengthily, only if the focus is elsewhere)
; menu_separator=
Allows for an item separator other than = in menu files, since = may be required in URLs with parameters. Note that this has to be commented-out with ; in order to set the default., since == is not a permitted value.
[editing]
add_shebang= [-1 | 0 | 1]
If 1, adds <?php include_once '[path_to_reflex.php]' ?> to the start of each page when creating from a template or saving in the editor. Useful where automatic prepending is not available. Now on by default since this improves the likelihood of a fresh install of Mara working first-time regardless of any idiosyncracies of the hosting server. .
site_editors=
List of named editors for this website. Can be overridden by the same meta option in any page <head> section.
site_editlevel=
The miniumum permissions level required to edit pages.
The above two global options, in conjunction with their respective page <head> overrides, are mainly useful if you want to disallow editing of most of the site to ordinary users, but permit the editing of a few specific pages. Be aware that admins (privelege 5) don't have to be in the userlist, but can be barred from editing by setting the editlevel requirement higher than 5.
sourcecode_editlevel=3
The privelege level a user needs in order to use the page source and head-section editor. By default, anyone with full editor privelege.
inline_scripts=4
The privelege level needed to create or modify php or javascript programs (scripts) embedded in pages. Normally, only granted to site managers or above. Although a powerful tool, this privelege should not be granted lightly as it confers the ability to do all kinds of malicious things, even turning your server into a spam-sending robot, for example.By default, ordinary editors (level 3) can edit the page source, but any script tags they create (and their contents) will be silently deleted on writeback. Reduce this to 3 if you feel happy with allowing your standard editors to create scripts.
Note: Mara does not run scripts from the page head section, only the body.
file_restore=3
The privelege level needed to use the version-archive restore facility. Since this confers the ability to restore older versions of any site page, it should only be granted to trustworthy persons.
admin_upload_any=0
When 1, an admin (level 5) user is not constrained by the editor's rules on where files may be uploaded to, or what filetypes may be uploaded. Be aware that setting this on gives the remote user a lot of power to do damage, power which would seldom be needed in practice. Quick Image dialog uploads are always constrained to be images. In general you shouldn't rely too heavily on barring an admin from doing things, though, as for a superuser there are always ways around the ban. Instead, create a less-priveleged account.


All values have a default, as given above. The siteini.php file must exist or an error will be generated, however it is not necessary for all settings to be present. Any not present will assume the default value, as given above. The syntax here is that of the classic ini file. Unlike php's own php.ini file, It does matter which section a given option is in. A setting placed in the wrong section will be ignored, and the default used instead.  Values are never put inside quotes. Any quotes you place in a value field are part of the value itself. Leading and trailing spaces on values are ignored, so you can space the value from the = sign if you wish.