Improve vendor permissions fix

Vendor has executable file so let's only remove permissions for other users and fix ownership. See README for more info.
Metadrop · May 8, 2023 · 3bb7845 · 3bb7845
1 parent a796544
commit 3bb7845
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -83,9 +83,23 @@ folders.
 If there are content folders outside the Drupal root folder you can use the
 `--files-path` option and the script will take care of it.
 
+## Vendor folder
+
 If a `vendor` folder and a `composer.json` file are detected in the parent
 folder of the Drupal root the script assumes the `vendor` folder is a code
-folder and fixes permissions accordingly.
+folder and fixes permissions accordingly: it fixes ownership (owner: deploy
+user, group: web server) and removes any permissions for other users.
+
+It doesn't apply standard permissions of code files because in `vendor` folders
+there are some files that needs to be executable. It would be hard to detect all
+the cases that needs executable permissions so the script doesn't handle
+permissions for the owner or the group and just removes all permissions for
+other users.
+
+In case of issues in the `vendor` folder, because the the script fixes ownership
+on the `vendor` folder, the deploy user should able to run `composer
+install` and let composer set the correct permissions. Later, the script can be
+run again to remove all permissions on other users.
 
 ## Performance
 

diff --git a/drupal_fix_permissions.sh b/drupal_fix_permissions.sh
@@ -196,20 +196,20 @@ function fix_code_permission_helper() {
   case $simulate in
     0)
     # Real action.
-    find "$1" $detected_vendor_path \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print0 \) | xargs -r -0 -L4 chmod $3
+    find "$1" \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print0 \) | xargs -r -0 -L4 chmod $3
     ;;
 
     1)
     # Simulate.
-    num=$(find "$1" $detected_vendor_path \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print \) | wc -l)
+    num=$(find "$1" \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print \) | wc -l)
     printf "\n    Code items with wrong permissions: $num"
     ;;
 
     2)
     # Simulate verbosely.
     printf "\n    Code files and directories that would have their permissions fixed: "
     # Use a variable to indent output.
-    items=$(find "$1" $detected_vendor_path \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print \))
+    items=$(find "$1" \( -path "$1"/sites/*/$file_folder_name -prune \) -o \( -path "$1"/sites/*/$private_folder_name -prune \) -o \( -type $2 ! -perm $3 -print \))
     items=${items:-None}
     printf "\n      ${items//$'\n'/$'\n'      }\n"
     ;;
@@ -268,6 +268,16 @@ function fix_code_permissions() {
   printf "\n  Setting permissions on code files to $code_file_perms under '$name'"
   fix_code_permission_helper "$1" f "$code_file_perms"
 
+
+  if [ ! -z "$detected_vendor_path" ]
+  then
+    printf "\n  Setting permissions on vendor code directories to $code_dir_perms under '$detected_vendor_path'"
+    fix_code_permission_helper "$detected_vendor_path" d "$code_dir_perms"
+
+    printf "\n  Removing all permissions on vendor code files to other users ($vendor_code_file_perms) under '$detected_vendor_path'"
+    fix_code_permission_helper "$detected_vendor_path" f "$vendor_code_file_perms"
+  fi
+
 }
 
 
@@ -368,6 +378,7 @@ fi
 # content files).
 code_dir_perms='u=rwx,g=rx,o='
 code_file_perms='u=rw,g=r,o='
+vendor_code_file_perms='o='
 content_dir_perms="u=rwx,g=rw${group_executable_mode},o="
 content_file_perms='ug=rw,o='