I just googled your post and found this..... I hope it helps......
Protecting Content Editors From Themselves
Say you put together a nice, static site for a client. There's a lot of CSS, a fair amount of scripting (in whatever language — we'll assume PHP here), a handful of images, and a lot of HTML. The client is going to manage the site with a WYSIWYG editor.
What's the biggest danger to your site? The person you hand it over to, of course. Invariably, they'll get into files they shouldn't, delete images they shouldn't, or embark on CSS "upgrades" that they shouldn't.
Shortly thereafter, you'll get a call that begins, "The site doesn't look right..."
How do you prevent this? Well, with a lot of hosts, you can finagle a few ways to prevent them from messing with things they shouldn't by using additional FTP users and some Apache directives.
Many *nix-based Web hosting companies will allow you to set up additional FTP users with their own FTP directories. I'm going to use Plesk in this example, because that's the platform we use at Gadgetopia. Other systems have similar ends, but the file paths will be different.
Consider this structure for a virtual host:
/
httpdocs
conf
cgi-bin
web_users
editor
"/" is the root of the Apache virtual host. The master FTP account logs into this directory. There's a lot of things in here that you don't want messed with: the virtual host configuration files in "conf," and the Perl scripts in "cgi-bin," to name but two.
With Plesk, when you create a new FTP user, they get a directory in "web_users." In this instance, we've created "editor." This user's files would be accessible with a URL of "www.site.com/~editor/" The "editor" directory, then, is their own virtual root.
Let's say that our site has 10 HTML pages. When you're done developing everything, put these pages in the "web_users/editor" directory instead of the virtual root and give your editor FTP credentials to that directory only.
Then, in the configuration file for the virtual root, add some lines like this:
Alias ^/about_us.html$ [...]/web_users/editor/about_us.html
("[...]" would be replaced with the path to the Apache virtual root, be it "/home/httpd/vhosts/domain_name" as with Plesk or whatever.)
This means, when a visitor requests the "About Us" page, Apache pulls it from the "editor" directory — to which the user has all rights.
(Yes, this page can also be accessed like this:
/~editor/about_us.html
If that stresses you out, this directive...
AliasMatch ^~editor/.*$ /doesnt_exist.html
...will send direct request to the editor directory spinning off into 404 land. An ugly, but effective, solution.)
To manage the HTML content, the editor will FTP into the "editors" directory (they'll be deposited there when they use their credentials) and see only the HTML files in there. The "editor" directory will be the "top" directory the editor can get to. The editor won't see any of the PHP files you use to make the site run, nor will he or she be able to get into the cgi-bin, the configuration directory, the SSL source directory, etc.