Problem/Motivation

Users are encouraged to modify their .htaccess file directly in a comment in that same file; since this comment has been in place for a while, people are used to doing it. Unfortunately, this sort of modification is erased during Drupal updates (e.g. when running drupal pm-update), and with the introduction of the Drupal Composer Scaffold tool, composer install also puts these files in danger of being overwritten. See #3092563: Avoid overwriting .htaccess changes during scaffolding > security problem for some of the implications of this.

It would be desirable if we could start guiding users towards a more modern, Composer-based way to manage their .htaccess and robots.txt customizations. The Drupal Composer Scaffold tool provides patching and append/prepend features to make these changes easier to maintain, for example.

Proposed resolution

Add two examples to drupal/recommended-project:

  1. Prepend to robots.txt
  2. Patch .htaccess

These examples should not be added to the legacy project for now, as that is used to generate downloaded tarballs.

Remaining tasks

The scaffold files in drupal/core should say "do not modify these files", rather than the patch file / prepend file in the template.

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

tbd

CommentFileSizeAuthor
#27 interdiff-3095214_16-25.txt4.22 KBbhanu951
#16 interdiff_3-16.txt1.73 KBravi.shankar
#16 3095214-16.patch7.19 KBravi.shankar
#3 2-to-3-interdiff.txt4.56 KBgreg.1.anderson
#3 3095214-3.patch7.19 KBgreg.1.anderson
#2 3095214-2.patch4.18 KBgreg.1.anderson

Issue fork drupal-3095214

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

greg.1.anderson created an issue. See original summary.

greg.1.anderson’s picture

greg.1.anderson commented
Status: Active » Needs review
StatusFileSize
new 3095214-2.patch4.18 KB

Here's the rough idea.

greg.1.anderson’s picture

greg.1.anderson commented
StatusFileSize
new 3095214-3.patch7.19 KB
new 2-to-3-interdiff.txt4.56 KB

Cleaned up #2 and gave it some proper documentation. With this, users who start with drupal/recommended-project will have a fighting chance at being able to manage their .htaccess and robots.txt customizations without issue.

nickdickinsonwilde’s picture

nickdickinsonwilde
He/Him/His
Primary language English
Location Victoria, BC (T'So-uke lands)
commented
Status: Needs review » Reviewed & tested by the community

Seems pretty clear and covers the most common use cases.
+1

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue tags: +DrupalSouth 2019
mradcliffe’s picture

mradcliffe
he/him
Primary language English
commented

Questions:

  1. +++ b/composer/Plugin/Scaffold/README.md
@@ -109,8 +114,8 @@ Sometimes, a project might wish to use a scaffold file provided by a dependency,
+The example below shows a project that prepends additional entries onto the ¶

    Is there a trailing white space here or is it dreditor? 

  2. +++ b/composer/Plugin/Scaffold/README.md
@@ -135,10 +140,24 @@ to patch the `.htaccess` file using a patch.
+      "cd web && patch -p1 < ../scaffold-modifications/htaccess.patch"

    Would doing the following work as well for non-VCS?

    cd web && cp ../scaffold-modifications/.htaccess ./ 

  3. +++ b/composer/Plugin/Scaffold/README.md
@@ -135,10 +140,24 @@ to patch the `.htaccess` file using a patch.
+- Use a git clone of a Composer-managed site.
+- Create a directory `scaffold-modifications` at the project root.
+- Go to the scaffold assets directory via `cd core/assets/scaffold/files`.
+- Edit the `htaccess` file there, and insert your desired modifications.
+- Create the patch via `git diff htaccess > htaccess.patch`.
+- Move the `htaccess.patch` file into `scaffold-modifications` in your site.
+- Remove your modifications via `git checkout -- htaccess`.
+- Copy the example script command above into your project's composer.json file.

    Do these create a hidden dependency on git?

greg.1.anderson’s picture

greg.1.anderson commented

1. There is trailing whitespace on that line.

2. The suggested technique would work, but it is not a good idea. If you want to replace the entire file, you should just make the scaffold file unmanaged (set its path to FALSE) and commit your modified file. Patching is preferred because you will continue to get updates to the file when it changes in the upstream. If the patch fails to apply, you get an error. With full replacement, you do not get any warning when the upstream changes; you just miss out on the updates (until you notice yourself).

3. There is no dependency on git. There is a requirement to use git if you want to follow the instructions in the documentation, but once you have made your patch, there is no further need for git, as the patch is applied with the "patch" command. We could provide instructions on how to create a patch with "diff", but the instructions would be more complicated.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work 
  1. +++ b/composer/Plugin/Scaffold/README.md
@@ -109,8 +114,8 @@ Sometimes, a project might wish to use a scaffold file provided by a dependency,
+The example below shows a project that prepends additional entries onto the ¶

    Additional space on the end of the line 

  2. +++ b/composer/Template/RecommendedProject/scaffold-modifications/htaccess.patch
@@ -0,0 +1,57 @@
++  ## If your site can be accessed both with and without the 'www.' prefix, you
++  ## can use one of the following settings to redirect users to your preferred
++  ## URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
++  ##
++  ## To redirect all users to access the site WITH the 'www.' prefix,
++  ## (http://example.com/foo will be redirected to http://www.example.com/foo)
++  ## uncomment the following:
++  ## RewriteCond %{HTTP_HOST} .
++  ## RewriteCond %{HTTP_HOST} !^www\. [NC]
++  ## RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
++  ##
++  ## To redirect all users to access the site WITHOUT the 'www.' prefix,
++  ## (http://www.example.com/foo will be redirected to http://example.com/foo)
++  ## uncomment the following:
++  ## RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
++  ## RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]

    I'm not sure why the .patch file is double commenting these lines? 

  3. +++ b/composer/Template/RecommendedProject/scaffold-modifications/robots.txt.prepend
@@ -0,0 +1,6 @@
+## DO NOT MODIFY THIS FILE DIRECTLY. This file is managed by Composer, and
+## should not be edited in place.
+##
+## This header was prepended from the text file 'robots.txt.prepend'.
+## For more information on how to manage alterations to scaffold files, see:
+## https://github.com/drupal/core-composer-scaffold#altering-scaffold-files

    This is an odd one but I think once this lands all projects built on the recommended project template are going to have a scaffold-modifications directory with this file in it. The text in the file is telling you not to modify it when actually we want you to modify the robots.txt.prepend file.

    I think the files that should have this text are in core/assets/scaffold/files. Not sure we should be adding this text using Scaffold operations.

greg.1.anderson’s picture

greg.1.anderson commented

2. I double-commented the patched-in lines so that folks who examined the scaffold file in its target location could see that the lines had been changed by the patch.

3. You're right, we want the source location to say YES MODIFY THIS FILE, and the destination location to say DO NOT MODIFY THIS FILE. This implies that the warning message should be inserted by the scaffold tool. The problem with this is that we do not necessarily know whether the target file can be commented, or what the comment characters should be, etc.

Maybe we could make core/assets/scaffold/files/robots.txt.warning and core/assets/scaffold/files/htaccess.warning and so on, for as many scaffold files as we want to support warnings for. Then, after the post-scaffold hook, we could prepend the warning for any file that has a warning and was modified. If we want to do that, then we should postpone this issue on #3092563: Avoid overwriting .htaccess changes during scaffolding > security problem, as we would use the hashing improvements there to detect post-scaffold-hook changes.

I'm not sure what to say about always having a scaffold-modifications directory, as I view this as a net benefit of this patch. We could, perhaps, find a better name for it. It might also be worthwhile including a README.txt file in this directory with instructions on how to get rid of it.

greg.1.anderson’s picture

greg.1.anderson commented
Related issues: +#3103090: Avoid re-scaffolding unchanged files (and printing scaffold file information over and over)

Postponing on #3103090: Avoid re-scaffolding unchanged files (and printing scaffold file information over and over)

greg.1.anderson’s picture

greg.1.anderson commented
Status: Needs work » Postponed
greg.1.anderson’s picture

greg.1.anderson commented
Issue summary: View changes
Status: Postponed » Needs work

#3103090: Avoid re-scaffolding unchanged files (and printing scaffold file information over and over) has been committed to 8.9.x and 9.0.x. We could re-roll here and then continue to address the feedback in #8.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

karolus’s picture

karolus commented

Sorry if I'm late to this—but for SEO reasons, I do modify my robots.txt, in addition to having a robots_noindex.txt file.

Has it been resolved on how to do this properly with drupal-scaffold?

ressa’s picture

ressa
he/him
commented
Related issues: +#3151695: Dissuade users from editing .htaccess

This is a great idea. I recently created #3151695: Dissuade users from editing .htaccess in the same spirit.

ravi.shankar’s picture

ravi.shankar commented
StatusFileSize
new 3095214-16.patch7.19 KB
new interdiff_3-16.txt1.73 KB

Patch #3 is still applying on D-9.1.x.

I have addressed point 1 of comment #8.

Need work for remaining points of comment #8.

abaier’s picture

abaier commented

Should there also be an example/hint for drupal/legacy-project, regarding the directory structure and the "scripts" part?

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

pere orga’s picture

pere orga
Primary language Catalan
commented

Everything worked for me except this line:

+++ b/composer/Plugin/Scaffold/README.md
@@ -135,10 +140,24 @@ to patch the `.htaccess` file using a patch.
+      "cd web && patch -p1 < ../scaffold-modifications/htaccess.patch"

This worked instead:

patch -p1 < scaffold-modifications/htaccess.patch

I created the htaccess patch following the instructions in composer/Plugin/Scaffold/README.md

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Bhanu951 made their first commit to this issue’s fork.

Bhanu951 opened merge request !7020

bhanu951’s picture

bhanu951 commented
Status: Needs work » Needs review
Issue tags: -DrupalSouth 2019
StatusFileSize
new interdiff-3095214_16-25.txt4.22 KB

Rerolled patch 3095214-16.patch against 11.x branch and updated web-root directory to web in all places instead of mixed docroot and web , updated patch generation git command to include --no-prefix

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work

The Needs Review Queue Bot tested this issue.

While you are making the above changes, we recommend that you convert this patch to a merge request. Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

bhanu951’s picture

bhanu951 commented
Status: Needs work » Needs review

Tests failed due to missing patch utility in the docker image. Hence setting to NR again.

git check-ignore 'vendor'
> post-drupal-scaffold-cmd: cd web && patch -p1 <
../scaffold-modifications/htaccess.patch
Executing command (CWD): cd web && patch -p1 <
../scaffold-modifications/htaccess.patch
sh: 1: patch: not found
Script cd web && patch -p1 < ../scaffold-modifications/htaccess.patch
handling the post-drupal-scaffold-cmd event returned with error code 127
Failed asserting that 127 matches expected 0.
smustgrave’s picture

smustgrave commented
Status: Needs review » Postponed

Seems this postponed on #3417586: Add the patch utilities back to the drupalci image

bhanu951’s picture

bhanu951 commented
Status: Postponed » Needs work
bhanu951’s picture

bhanu951 commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Seems to have some test failures

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.