Skip to content

test: automated coverage for bin/setup-permissions.sh#212

Merged
fabiodalez-dev merged 1 commit into
mainfrom
test/setup-permissions-script
Jul 3, 2026
Merged

test: automated coverage for bin/setup-permissions.sh#212
fabiodalez-dev merged 1 commit into
mainfrom
test/setup-permissions-script

Conversation

@fabiodalez-dev

@fabiodalez-dev fabiodalez-dev commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Closes the gap where the 0.7.27 permissions fixer (bin/setup-permissions.sh) was only manually validated.

A shell test (tests/setup-permissions.test.sh) builds a throwaway mock install, runs the script, and asserts the result:

  • all writable data directories created;
  • code files 0644, shell scripts keep +x, .env stays 0640, data dirs group-writable;
  • nothing world-writable (no 777);
  • chown applied — to the current user, so the chown path is exercised without needing root;
  • idempotency (a second apply is a stable no-op);
  • both hard-exit guards (non-install directory, unknown --user).

Wired into the Code Quality job (runs on every push/PR). tests/ is export-ignore, so nothing changes in the release package. Verified locally: 12/12 pass.

Summary by CodeRabbit

  • Tests
    • Aggiunti nuovi controlli automatici per verificare il comportamento della configurazione dei permessi in vari scenari.
  • Chores
    • Aggiornata l’integrazione continua per eseguire un test aggiuntivo durante i controlli di qualità.
    • Adeguate le regole di esclusione per includere i file di test shell.

Closes the gap where the permissions fixer was only manually validated. A
shell test builds a throwaway mock install, runs the script, and asserts the
result: all writable data dirs created, code files 0644, shell scripts keep
+x, .env stays 0640, data dirs group-writable, nothing world-writable (no
777), chown applied (to the current user — exercises the chown path without
root), idempotency, and both hard-exit guards (non-install dir, unknown user).
Wired into the Code Quality job. Verified locally: 12/12 pass.
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Aggiunto un nuovo test suite shell (tests/setup-permissions.test.sh) che valida bin/setup-permissions.sh tramite scenari di guard, dry-run, apply e idempotenza. Aggiornato .gitignore per tracciare i file .test.sh in tests/. Integrato il test nel workflow CI ci-quality.yml.

Changes

Test shell per permessi

Layer / File(s) Summary
Test harness per setup-permissions.sh
tests/setup-permissions.test.sh, .gitignore
Nuovo script bash che crea una sandbox temporanea, testa sintassi, rifiuto di root/user invalidi, dry-run senza modifiche, apply con permessi/proprietario corretti e idempotenza; .gitignore aggiorna per tracciare i file tests/*.test.sh.
Integrazione CI
.github/workflows/ci-quality.yml
Nuovo step nel job quality esegue il test shell prima della rimozione di .env (eseguita sempre con if: always()).

Estimated code review effort: 2 (Simple) | ~10 minuti

Sequence Diagram(s)

Non applicabile: le modifiche riguardano solo test shell e configurazione CI, senza nuovi flussi multi-componente.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Il titolo descrive bene la modifica principale: aggiunge copertura test automatizzata per bin/setup-permissions.sh.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch test/setup-permissions-script

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/setup-permissions.test.sh`:
- Around line 33-34: The temporary directory setup in the permissions test uses
a predictable /tmp fallback that can be raced, so remove the fallback from the
`mktemp` assignment in the test setup and let the test fail if `mktemp` cannot
create `SB`. Keep the rest of the directory creation logic that uses `SB`
unchanged so the test still prepares `bin`, `public`, `app/Support`,
`storage/backups`, and `vendor` under the newly created temp root.
- Around line 76-83: The writable-directory check in the permissions test is
incomplete and only covers a subset of the paths created by
bin/setup-permissions.sh. Update the loop in the test to assert the full
directory list handled by the setup script, using the existing writable-dir
verification block so regressions in paths like storage/calendar,
storage/sessions, storage/rate_limits, public/uploads/assets, and
public/uploads/archives/documents are caught in CI.
- Around line 102-103: The world-writable permissions check in the setup
permissions test is excluding storage/sessions via the grep filter, which can
hide a real 777 path. Update the check around the find/grep/head pipeline so it
reports the first world-writable match directly without filtering out
storage/sessions, and keep the existing ok/bad handling in the same test block.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 55c42432-9a89-412b-a41c-cc39bccd9342

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4db9d and e094ad4.

📒 Files selected for processing (3)
  • .github/workflows/ci-quality.yml
  • .gitignore
  • tests/setup-permissions.test.sh

Comment on lines +33 to +34
SB="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-perm-$$)"
mkdir -p "$SB/bin" "$SB/public" "$SB/app/Support" "$SB/storage/backups" "$SB/vendor"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Rimuovi il fallback prevedibile per le directory temporanee.

Il ramo || echo /tmp/...$$ rende il path predicibile e racy su /tmp. In questo test basta fallire se mktemp non riesce.

🔧 Correzione proposta
-SB="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-perm-$$)"
+SB="$(mktemp -d "${TMPDIR:-/tmp}/pinakes-perm.XXXXXX")" || exit 1
@@
-BADDIR="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-nope-$$)"
+BADDIR="$(mktemp -d "${TMPDIR:-/tmp}/pinakes-nope.XXXXXX")" || exit 1

Also applies to: 49-49

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/setup-permissions.test.sh` around lines 33 - 34, The temporary
directory setup in the permissions test uses a predictable /tmp fallback that
can be raced, so remove the fallback from the `mktemp` assignment in the test
setup and let the test fail if `mktemp` cannot create `SB`. Keep the rest of the
directory creation logic that uses `SB` unchanged so the test still prepares
`bin`, `public`, `app/Support`, `storage/backups`, and `vendor` under the newly
created temp root.

Source: Linters/SAST tools

Comment on lines +76 to +83
# 5a. writable dirs created
_missing=0
for d in storage/logs storage/cache storage/tmp storage/backups public/uploads \
public/uploads/copertine public/uploads/archives/covers data/dewey \
writable/uploads locale storage/uploads/plugins; do
[ -d "$SB/$d" ] || { _missing=1; echo " missing: $d"; }
done
[ "$_missing" -eq 0 ] && ok "all writable data directories created" || bad "some writable dirs missing"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Allinea la verifica dei writable dir alla lista completa dello script.

Qui controlli solo un sottoinsieme dei path creati da bin/setup-permissions.sh, quindi regressioni su directory come storage/calendar, storage/sessions, storage/rate_limits, public/uploads/assets o public/uploads/archives/documents passerebbero comunque in CI.

🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 83-83: Note that A && B || C is not if-then-else. C may run when A is true.

(SC2015)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/setup-permissions.test.sh` around lines 76 - 83, The writable-directory
check in the permissions test is incomplete and only covers a subset of the
paths created by bin/setup-permissions.sh. Update the loop in the test to assert
the full directory list handled by the setup script, using the existing
writable-dir verification block so regressions in paths like storage/calendar,
storage/sessions, storage/rate_limits, public/uploads/assets, and
public/uploads/archives/documents are caught in CI.

Comment on lines +102 to +103
_ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)"
[ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Non filtrare storage/sessions dal controllo -perm -0002.

Quel grep -v può nascondere un path world-writable reale e indebolisce proprio la garanzia “no 777” che il test deve far rispettare. Verifica direttamente il primo match trovato.

🔧 Correzione proposta
-_ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)"
+_ww="$(find "$SB" -perm -0002 -print -quit 2>/dev/null)"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
_ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)"
[ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww"
_ww="$(find "$SB" -perm -0002 -print -quit 2>/dev/null)"
[ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww"
🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 103-103: Note that A && B || C is not if-then-else. C may run when A is true.

(SC2015)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/setup-permissions.test.sh` around lines 102 - 103, The world-writable
permissions check in the setup permissions test is excluding storage/sessions
via the grep filter, which can hide a real 777 path. Update the check around the
find/grep/head pipeline so it reports the first world-writable match directly
without filtering out storage/sessions, and keep the existing ok/bad handling in
the same test block.

@fabiodalez-dev fabiodalez-dev merged commit 2310fd6 into main Jul 3, 2026
6 checks passed
@fabiodalez-dev fabiodalez-dev deleted the test/setup-permissions-script branch July 3, 2026 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant