Support

You were very close but not close enough :) On the Configure WAF pages you need to do two things.

First, in the List of allowed tmpl= keywords add preview Why? Look at the URL. The parameter there reads tmpl=preview hence the name of the Joomla! rendering template you need to use.

Second, set "Block template=foo site template switch" to No. Why? Look at the URL again. The template used is template=templatecreatorck which is a virtual template: it doesn't really exist as a template on your site. Therefore we cannot use the simpler and safer "Allow site templates" option.

Good God! I thought that Cedric would have known better

I would urge you to ask Cedric to fix this issue. There are several ways for him to fix this:

• The downloads of the tck3z files must go through a Joomla! controller, not directly through the browser. Preferred for security reasons.
• The files must be placed in a subfolder of the the media/com_templateck folder.

I STRONGLY recommend the first option. The way the extension is written right now means that anyone can download the file from your site as long as they know the name. Considering that the name of the file is also the name of the template, visible in the source code of your site, it's not that hard to guess.

In the meantime you could, of course, do as he says. In the .htaccess Maker add
components/com_templateck/projects
(note that you must use forward slashes) to the list of directories where all files, except .php, are allowed. Remember to regenerate the .htaccess file. I just don't recommend it because of the obvious security / privacy implications.

Maybe ask Cedric to email me? I can't find his email :/

Thank you!