php to limit included file to access below and upon directory tree

I am trying to find solution for this problem for days.

I have structure like this.

  index.php
  /app
  /plugins/
  /users/%site%/functions.php 
               /other stuff

all requests goes to index.php which loads application in /app and plugins in /plugins.

in similar manner to wordpress application loads functions.php for each site.

I need to limit all code in function.php to access only directory structures above, and i have tried with dynamic ini set for open_basedir, just before functions.php loading, but problem is that application start running after functions.php, and loading everything from plugins and core via actions in hooks (again like in wordpress).

Problem is because whole app is OOP with composer dependencies, and plugins must be comptabile with composer, so composer just load autoloader for classes and then after functions.php when in some hook we have attached new SomeClassFromPlugin it actually tries to load class from directory from autoloader.

I need to have structure like this, because it is needed to plugins and core have “closed” code, and that users in similar manner to plugins can modify actions and hooks from functions php, but functions.php must be security safe from everything, and like sandbox.

Application must be compatible with hhvm and is running with user nginx (no multiuser)

Is there real solution or i must handle with obscurification of directory structure, but than again it is not enough, user can simply scandir(‘../..’..’)

i am running centos -> nginx -> hhvm (fastcgi) -> php

Answer

location ~* /plugins/.*.php$ {
    deny all;
}

location ~* /users/%site%/*.php$ {
    deny all;
}

location ^~ /plugins/ {
}

Attribution
Source : Link , Question Author : Dejan Milosevic , Answer Author : Community