Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Even if you have $settings['skip_permission_hardening'] = TRUE;
in your settings.php
, SiteConfigureForm::buildForm()
will still call drupal_verify_install_file()
with the FILE_NOT_WRITABLE
flag on settings.php
and the settings directory. This is annoying for people deploying their settings.php with Git and defeats the purpose of the setting in the first place.
Proposed resolution
Add a check for Settings::get('skip_permissions_hardening')
to SiteConfigureForm::buildForm()
Comment | File | Size | Author |
---|---|---|---|
#30 | 2869916-30.patch | 4.36 KB | tstoeckler |
#30 | 2869916-30--tests-only.patch | 2.61 KB | tstoeckler |
#17 | 869916-11.patch | 3.86 KB | johnwebdev |
Comments
Comment #2
tstoecklerHere we go.
I wondered whether - if you have this setting set - it makes sense to display the message seen in the patch context in the first place. But I guess it can't hurt, so this is the minimally invasive patch. I don't mind changing the check to skip the message in this case.
Comment #4
lpeabody CreditAttribution: lpeabody commentedThis worked for me! Thanks.
Comment #5
larowlanWe need a test here, if you want it to stick around - thanks
Comment #7
borisson_Setting to NW based on #5.
Comment #8
msankhala CreditAttribution: msankhala as a volunteer and at Srijan | A Material+ Company commentedThere is no harm/misleading in displaying this message on
SiteConfigureForm
even if$settings['skip_permission_hardening'] = TRUE;
is set for people deployingsettings.php
with version control. Because this message is only going to be displayed at the time of installation only Because SiteConfigureForm is only being used at the time of installation. We can improve this warning message and mention about $settings['skip_permission_hardening'] setting and its purpose in this message. Thoguhts?Comment #9
johnwebdev CreditAttribution: johnwebdev commentedLet's see if i got this right...
Comment #10
johnwebdev CreditAttribution: johnwebdev commentedComment #13
johnwebdev CreditAttribution: johnwebdev commentedComment #14
johnwebdev CreditAttribution: johnwebdev commentedComment #17
johnwebdev CreditAttribution: johnwebdev commentedOk jeez. Sorry about that. This should pass.
Comment #18
johnwebdev CreditAttribution: johnwebdev commentedComment #20
johnwebdev CreditAttribution: johnwebdev commentedComment #21
borisson_This test looks really simple, great work! Removing the needs tests tag. I think this is sufficient but not setting to rtbc as I'm not sure if adding a new method to the InstallerTestBase class is the best solution.
Comment #22
tstoeckler@johndevman Thanks for writing the test, it looks good!
In general it's a best practice to provide an interdiff when working on multiple versions of a patch. See https://www.drupal.org/documentation/git/interdiff for more information.
In order to push this issue forward and since I was curious I generated the interdiffs in this case, but just as a hint for next time ;-)
The test-only patch in #9 is an interdiff from #2.
Now looking at #21 whether
postInstall()
is in fact needed.Comment #23
johnwebdev CreditAttribution: johnwebdev commented@tstoeckler Thanks!
@borisson_ @tstoeckler
Regarding TestInstallerBase::postInstall the reason was because of:
which chmods the folder before the actual tests are run. Perhaps it could be moved to the tearDown instead.
Comment #24
johnwebdev CreditAttribution: johnwebdev commentedComment #25
johnwebdev CreditAttribution: johnwebdev commentedComment #26
johnwebdev CreditAttribution: johnwebdev commentedComment #27
johnwebdev CreditAttribution: johnwebdev commentedComment #30
tstoecklerI was playing around with this as well. I think instead of adding an assertion after the end of the installation I think it makes more sense to add those right on the site configuration form which is where the changed code is run.
InstallerTestBase
already has the::setupSite()
method for exactly this purpose.That allowed me to leave
InstallerTestBase
untouched. I also added the reverse assertions (i.e. that the files are not writable) toInstallerTest
. Also since we are now testing right on the site where the "You can make the files non-writable now." message is shown, I added an assertion for that as well.Comment #31
tstoecklerOh right, and I also renamed the test file to *Test.php (The rename itself is not in the interdiff because PhpStorm was trying to be "smart" again...)
Comment #32
tstoecklerOh and I also replaced the deprecated function calls with the newer methods.
I also found #2958228: HTML output recording does not work for InstallerTestBase tests by the way, wouldn't mind a review ;-)
Comment #34
johnwebdev CreditAttribution: johnwebdev commentedThat looks more sensible to me. Great thinking. Can this be RBTC now?
Comment #35
tstoecklerThanks for the endorsement @johndevman! Maybe @borisson_ feels comfortable RTBCing now that there are no longer any changes in
InstallerTestBase
;-)Comment #36
borisson_Yes, I do feel more comfortable now. Great work @johndevman @tstoeckler!
Comment #37
alexpottCrediting @larowlan and @borisson_ for insisting on tests and making them clean.
Comment #38
alexpottCommitted and pushed 39183a2956 to 8.6.x and b8c3bcc7d2 to 8.5.x. Thanks!