No error when /config, /tmp, etc. are not accessible through the browser
False-positive "required private directories" error in System Check when access to /config, etc. is prohibited, but app is behind SAML auth w/ LoginLdap's web server auth enabled.
System Check should only show the "required private directories" error if the requested directories/files are returned.
I'm running Matomo with the LoginLdap plugin for user management, and using Okta SAML auth via mod_auth_mellon (Apache) to set REMOTE_USER. mod_auth_mellon redirects to an Okta login page. Presumably the system check is assuming any 200 response means the requested file (/config/config.ini.php, etc.) is exposed through the web.
@grandpaslab Thanks for reporting this issue. I'm not sure if it would be easy to automatically handle such specific setups correctly.
In your case maybe it makes more sense to simply disable the diagnostic check by setting the config value