test: automated coverage for bin/setup-permissions.sh#212
Conversation
Closes the gap where the permissions fixer was only manually validated. A shell test builds a throwaway mock install, runs the script, and asserts the result: all writable data dirs created, code files 0644, shell scripts keep +x, .env stays 0640, data dirs group-writable, nothing world-writable (no 777), chown applied (to the current user — exercises the chown path without root), idempotency, and both hard-exit guards (non-install dir, unknown user). Wired into the Code Quality job. Verified locally: 12/12 pass.
📝 WalkthroughWalkthroughAggiunto un nuovo test suite shell ( ChangesTest shell per permessi
Estimated code review effort: 2 (Simple) | ~10 minuti Sequence Diagram(s)Non applicabile: le modifiche riguardano solo test shell e configurazione CI, senza nuovi flussi multi-componente. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/setup-permissions.test.sh`:
- Around line 33-34: The temporary directory setup in the permissions test uses
a predictable /tmp fallback that can be raced, so remove the fallback from the
`mktemp` assignment in the test setup and let the test fail if `mktemp` cannot
create `SB`. Keep the rest of the directory creation logic that uses `SB`
unchanged so the test still prepares `bin`, `public`, `app/Support`,
`storage/backups`, and `vendor` under the newly created temp root.
- Around line 76-83: The writable-directory check in the permissions test is
incomplete and only covers a subset of the paths created by
bin/setup-permissions.sh. Update the loop in the test to assert the full
directory list handled by the setup script, using the existing writable-dir
verification block so regressions in paths like storage/calendar,
storage/sessions, storage/rate_limits, public/uploads/assets, and
public/uploads/archives/documents are caught in CI.
- Around line 102-103: The world-writable permissions check in the setup
permissions test is excluding storage/sessions via the grep filter, which can
hide a real 777 path. Update the check around the find/grep/head pipeline so it
reports the first world-writable match directly without filtering out
storage/sessions, and keep the existing ok/bad handling in the same test block.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 55c42432-9a89-412b-a41c-cc39bccd9342
📒 Files selected for processing (3)
.github/workflows/ci-quality.yml.gitignoretests/setup-permissions.test.sh
| SB="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-perm-$$)" | ||
| mkdir -p "$SB/bin" "$SB/public" "$SB/app/Support" "$SB/storage/backups" "$SB/vendor" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Rimuovi il fallback prevedibile per le directory temporanee.
Il ramo || echo /tmp/...$$ rende il path predicibile e racy su /tmp. In questo test basta fallire se mktemp non riesce.
🔧 Correzione proposta
-SB="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-perm-$$)"
+SB="$(mktemp -d "${TMPDIR:-/tmp}/pinakes-perm.XXXXXX")" || exit 1
@@
-BADDIR="$(mktemp -d 2>/dev/null || echo /tmp/pinakes-nope-$$)"
+BADDIR="$(mktemp -d "${TMPDIR:-/tmp}/pinakes-nope.XXXXXX")" || exit 1Also applies to: 49-49
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/setup-permissions.test.sh` around lines 33 - 34, The temporary
directory setup in the permissions test uses a predictable /tmp fallback that
can be raced, so remove the fallback from the `mktemp` assignment in the test
setup and let the test fail if `mktemp` cannot create `SB`. Keep the rest of the
directory creation logic that uses `SB` unchanged so the test still prepares
`bin`, `public`, `app/Support`, `storage/backups`, and `vendor` under the newly
created temp root.
Source: Linters/SAST tools
| # 5a. writable dirs created | ||
| _missing=0 | ||
| for d in storage/logs storage/cache storage/tmp storage/backups public/uploads \ | ||
| public/uploads/copertine public/uploads/archives/covers data/dewey \ | ||
| writable/uploads locale storage/uploads/plugins; do | ||
| [ -d "$SB/$d" ] || { _missing=1; echo " missing: $d"; } | ||
| done | ||
| [ "$_missing" -eq 0 ] && ok "all writable data directories created" || bad "some writable dirs missing" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Allinea la verifica dei writable dir alla lista completa dello script.
Qui controlli solo un sottoinsieme dei path creati da bin/setup-permissions.sh, quindi regressioni su directory come storage/calendar, storage/sessions, storage/rate_limits, public/uploads/assets o public/uploads/archives/documents passerebbero comunque in CI.
🧰 Tools
🪛 Shellcheck (0.11.0)
[info] 83-83: Note that A && B || C is not if-then-else. C may run when A is true.
(SC2015)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/setup-permissions.test.sh` around lines 76 - 83, The writable-directory
check in the permissions test is incomplete and only covers a subset of the
paths created by bin/setup-permissions.sh. Update the loop in the test to assert
the full directory list handled by the setup script, using the existing
writable-dir verification block so regressions in paths like storage/calendar,
storage/sessions, storage/rate_limits, public/uploads/assets, and
public/uploads/archives/documents are caught in CI.
| _ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)" | ||
| [ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Non filtrare storage/sessions dal controllo -perm -0002.
Quel grep -v può nascondere un path world-writable reale e indebolisce proprio la garanzia “no 777” che il test deve far rispettare. Verifica direttamente il primo match trovato.
🔧 Correzione proposta
-_ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)"
+_ww="$(find "$SB" -perm -0002 -print -quit 2>/dev/null)"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| _ww="$(find "$SB" -perm -0002 2>/dev/null | grep -v '/storage/sessions' | head -1)" | |
| [ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww" | |
| _ww="$(find "$SB" -perm -0002 -print -quit 2>/dev/null)" | |
| [ -z "$_ww" ] && ok "nothing is world-writable (no 777)" || bad "world-writable path found: $_ww" |
🧰 Tools
🪛 Shellcheck (0.11.0)
[info] 103-103: Note that A && B || C is not if-then-else. C may run when A is true.
(SC2015)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/setup-permissions.test.sh` around lines 102 - 103, The world-writable
permissions check in the setup permissions test is excluding storage/sessions
via the grep filter, which can hide a real 777 path. Update the check around the
find/grep/head pipeline so it reports the first world-writable match directly
without filtering out storage/sessions, and keep the existing ok/bad handling in
the same test block.
Closes the gap where the 0.7.27 permissions fixer (
bin/setup-permissions.sh) was only manually validated.A shell test (
tests/setup-permissions.test.sh) builds a throwaway mock install, runs the script, and asserts the result:0644, shell scripts keep+x,.envstays0640, data dirs group-writable;777);--user).Wired into the Code Quality job (runs on every push/PR).
tests/isexport-ignore, so nothing changes in the release package. Verified locally: 12/12 pass.Summary by CodeRabbit