Index: branches/5.1.x/system/.htaccess
===================================================================
diff -u -N -r14241 -r14360
--- branches/5.1.x/system/.htaccess	(.../.htaccess)	(revision 14241)
+++ branches/5.1.x/system/.htaccess	(.../.htaccess)	(revision 14360)
@@ -1,4 +1,6 @@
 <Files ~ "\.(php|php3|php.*|shtml|phtml|sql)$">
   order allow,deny
   deny from all
-</Files>
\ No newline at end of file
+</Files>
+
+RedirectMatch 404 /\.restricted(/|$)
\ No newline at end of file
Index: branches/5.1.x/core/kernel/utility/debugger.php
===================================================================
diff -u -N -r14323 -r14360
--- branches/5.1.x/core/kernel/utility/debugger.php	(.../debugger.php)	(revision 14323)
+++ branches/5.1.x/core/kernel/utility/debugger.php	(.../debugger.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: debugger.php 14323 2011-05-20 08:04:26Z alex $
+* @version	$Id: debugger.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -331,7 +331,7 @@
 				$this->baseURL = PROTOCOL.SERVER_NAME.(defined('PORT') ? ':'.PORT : '').rtrim(BASE_PATH, '/').$kernel_path.'/utility/debugger';
 
 				// save debug output in this folder
-				$this->tempFolder = WRITEABLE . '/cache';
+				$this->tempFolder = defined('RESTRICTED') ? RESTRICTED : WRITEABLE . '/cache';
 			}
 
 			function mapLongError($msg)
Index: branches/5.1.x/core/kernel/utility/http_query.php
===================================================================
diff -u -N -r14325 -r14360
--- branches/5.1.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 14325)
+++ branches/5.1.x/core/kernel/utility/http_query.php	(.../http_query.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: http_query.php 14325 2011-05-20 08:10:28Z alex $
+* @version	$Id: http_query.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -729,9 +729,11 @@
 
 	function writeRequestLog($filename)
 	{
-		$folder_path = dirname(FULL_PATH.'/'.$filename);
-		if (is_writable($folder_path)) {
-			$fp = fopen(FULL_PATH.'/'.$filename, 'a');
+		$log_file = (defined('RESTRICTED') ? RESTRICTED : FULL_PATH) . '/' . $filename;
+
+		if ( is_writable( dirname($log_file) ) ) {
+			$fp = fopen($log_file, 'a');
+
 			if ($fp) {
 				$session =& $this->Application->recallObject('Session');
 				$user_id = $session->GetField('PortalUserId');
Index: branches/5.1.x/core/kernel/startup.php
===================================================================
diff -u -N -r14323 -r14360
--- branches/5.1.x/core/kernel/startup.php	(.../startup.php)	(revision 14323)
+++ branches/5.1.x/core/kernel/startup.php	(.../startup.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: startup.php 14323 2011-05-20 08:04:26Z alex $
+* @version	$Id: startup.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -86,6 +86,10 @@
 		define('WRITEBALE_BASE', $vars['WriteablePath']);
 	}
 
+	if ( isset($vars['RestrictedPath']) ) {
+		define('RESTRICTED', FULL_PATH . $vars['RestrictedPath']);
+	}
+
 	if ($vars === false || count($vars) == 0) {
 		global $rootURL;
 		echo 'In-Portal is probably not installed, or configuration file is missing.<br>';
Index: branches/5.1.x/core/kernel/session/session.php
===================================================================
diff -u -N -r14263 -r14360
--- branches/5.1.x/core/kernel/session/session.php	(.../session.php)	(revision 14263)
+++ branches/5.1.x/core/kernel/session/session.php	(.../session.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: session.php 14263 2011-03-22 09:24:29Z alex $
+* @version	$Id: session.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -354,7 +354,7 @@
 
 		// delete debugger ouputs left of deleted sessions
 		foreach ($session_ids as $session_id) {
-			$debug_file = WRITEABLE . '/cache/debug_@' . $session_id . '@.txt';
+			$debug_file = (defined('RESTRICTED') ? RESTRICTED : WRITEABLE . '/cache') . '/debug_@' . $session_id . '@.txt';
 			if (file_exists($debug_file)) {
 				@unlink($debug_file);
  			}
Index: branches/5.1.x/core/units/helpers/cat_dbitem_export_helper.php
===================================================================
diff -u -N -r14241 -r14360
--- branches/5.1.x/core/units/helpers/cat_dbitem_export_helper.php	(.../cat_dbitem_export_helper.php)	(revision 14241)
+++ branches/5.1.x/core/units/helpers/cat_dbitem_export_helper.php	(.../cat_dbitem_export_helper.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: cat_dbitem_export_helper.php 14241 2011-03-16 20:24:35Z alex $
+* @version	$Id: cat_dbitem_export_helper.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -915,7 +915,7 @@
 		{
 			static $first_time = true;
 
-			$fp = fopen(FULL_PATH.'/sqls.log', $first_time ? 'w' : 'a');
+			$fp = fopen((defined('RESTRICTED') ? RESTRICTED : FULL_PATH) . '/sqls.log', $first_time ? 'w' : 'a');
 			fwrite($fp, $msg."\n");
 			fclose($fp);
 
Index: branches/5.1.x/core/kernel/application.php
===================================================================
diff -u -N -r14348 -r14360
--- branches/5.1.x/core/kernel/application.php	(.../application.php)	(revision 14348)
+++ branches/5.1.x/core/kernel/application.php	(.../application.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: application.php 14348 2011-05-23 08:02:12Z alex $
+* @version	$Id: application.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -2755,7 +2755,7 @@
 	{
 		if (defined('SILENT_LOG') && SILENT_LOG) {
 			if ( !(defined('DBG_IGNORE_STRICT_ERRORS') && DBG_IGNORE_STRICT_ERRORS && defined('E_STRICT') && ($errno == E_STRICT)) ) {
-				$fp = fopen(FULL_PATH.'/silent_log.txt','a');
+				$fp = fopen((defined('RESTRICTED') ? RESTRICTED : FULL_PATH) . '/silent_log.txt', 'a');
 				$time = adodb_date('d/m/Y H:i:s');
 				fwrite($fp, '['.$time.'] #'.$errno.': '.strip_tags($errstr).' in ['.$errfile.'] on line '.$errline."\n");
 				fclose($fp);
Index: branches/5.1.x/core/install.php
===================================================================
diff -u -N -r14241 -r14360
--- branches/5.1.x/core/install.php	(.../install.php)	(revision 14241)
+++ branches/5.1.x/core/install.php	(.../install.php)	(revision 14360)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: install.php 14241 2011-03-16 20:24:35Z alex $
+* @version	$Id: install.php 14360 2011-06-01 07:50:46Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -99,6 +99,7 @@
 		 */
 		var $writeableFolders = Array (
 			'$1',
+			'$1/.restricted',
 			'$1/images',
 			'$1/images/pending',
 			'$1/images/emoticons', // for "In-Bulletin"
@@ -167,12 +168,17 @@
 				$this->writeableFolders[] = $this->toolkit->defaultWritablePath . '/config.php';
 			}
 
-			if (!$this->toolkit->getSystemConfig('Misc', 'WriteablePath')) {
+			if ( !$this->toolkit->getSystemConfig('Misc', 'WriteablePath') ) {
 				// set global writable folder when such setting is missing
 				$this->toolkit->setSystemConfig('Misc', 'WriteablePath', $this->toolkit->defaultWritablePath);
 				$this->toolkit->SaveConfig(true); // immediately save, because this path will be used in Application later
 			}
 
+			if ( !$this->toolkit->getSystemConfig('Misc', 'RestrictedPath') ) {
+				$this->toolkit->setSystemConfig('Misc', 'RestrictedPath', $this->toolkit->getSystemConfig('Misc', 'WriteablePath') . DIRECTORY_SEPARATOR . '.restricted');
+				$this->toolkit->SaveConfig(true);
+			}
+
 			$this->currentStep = $this->GetVar('step');
 
 			// can't check login on steps where no application present anyways :)