coldfrontlabs · ClassicCut · Aug 28, 2020 · Sep 2, 2020 · Dec 17, 2020 · finalhow
diff --git a/templates/drupal-fix-permissions.sh.erb b/templates/drupal-fix-permissions.sh.erb
@@ -75,7 +75,9 @@ if [ -z "${drupal_user}" ] || [[ $(id -un "${drupal_user}" 2> /dev/null) != "${d
 fi
 
 printf "Checking Drupal version at "${drupal_path}"... ";
-dversion=$(drush core-status --format=json --root=${drupal_path} | jq '."drupal-version"' --raw-output | awk -F. '{print $1}')
+dstatus=$(drush core-status --format=json --root=${drupal_path})
+dversion=$(echo $dstatus | jq '."drupal-version"' --raw-output | awk -F. '{print $1}')
+private_files_path=$(echo $dstatus | jq '."private"' --raw-output)
 printf "Detected: "
 
 # Check which version we have.
@@ -95,7 +97,7 @@ cd $drupal_path
 # Composer vendor.
 if [ -d "${drupal_path}/../vendor" ]; then
   # Since there's a parent folder, revoke other's privileges.
-  printf "Revoking 'other' user access to parent directory "${drupal_path}/.." \n" && \
+  printf "Revoking other user access to parent directory "${drupal_path}/.." \n" && \
   chmod -R o-rwx ${drupal_path}/.. &
   # Set the right permissions.
   printf "Grant access to apache to parent folder "${drupal_path}/.." \n" && \
@@ -104,21 +106,21 @@ if [ -d "${drupal_path}/../vendor" ]; then
   chmod u=rwx,g=rx,o= ${drupal_path}/..
   chmod u=rwx,g=rx,o= ${drupal_path}/../*
 
-  printf "Changing ownership of "vendor" directories in "${drupal_path}/../vendor" \n" && \
+  printf "Changing ownership of vendor directories in "${drupal_path}/../vendor" \n" && \
   chown -R ${drupal_user}:${httpd_group} ${drupal_path}/../vendor
   find ${drupal_path}/../vendor -type d ! -name . -exec chmod g=rx '{}' +
   chmod g=rx ${drupal_path}/../vendor
 
   if [ -d "${drupal_path}/../vendor/bin" ]; then
-    printf "Changing permissions of "vendor/bin" directories in "${drupal_path}/../vendor/bin" to "u+x"...\n" && \
+    printf "Changing permissions of vendor/bin directories in "${drupal_path}/../vendor/bin" to "u+x"...\n" && \
     chmod -R u+x ${drupal_path}/../bin &
   fi
 
 fi
 
 # Bin directories.
 if [ -d "${drupal_path}/../bin" ]; then
-  printf "Changing permissions of "bin" directories in "${drupal_path}/../bin" to "u+x"...\n" && \
+  printf "Changing permissions of bin directories in "${drupal_path}/../bin" to "u+x"...\n" && \
   chmod -R u+x ${drupal_path}/../bin &
   # Set the right permissions.
   printf "Grant access to apache to parent folder "${drupal_path}/.." \n" && \
@@ -129,7 +131,7 @@ fi
 
 # Composer.json file.
 if [ -f "${drupal_path}/../composer.json" ]; then
-  printf "Changing permissions of "composer.json" in "${drupal_path}/../" to "rw-r-----"...\n" && \
+  printf "Changing permissions of composer.json in "${drupal_path}/../" to "rw-r-----"...\n" && \
   chmod 640 ${drupal_path}/../composer.json
   chown ${drupal_user}:${httpd_group} ${drupal_path}/../composer.json
   # Set the right permissions.
@@ -145,7 +147,7 @@ fi
 
 # Load environment file.
 if [ -f "${drupal_path}/../load.environment.php" ]; then
-  printf "Changing permissions of "load.environment.php" in "${drupal_path}/../" to "rw-r-----"...\n" && \
+  printf "Changing permissions of load.environment.php in "${drupal_path}/../" to "rw-r-----"...\n" && \
   chmod 640 ${drupal_path}/../load.environment.php
   chown ${drupal_user}:${httpd_group} ${drupal_path}/../load.environment.php
   # Set the right permissions.
@@ -224,21 +226,39 @@ printf "Changing permissions of all directories inside "${drupal_path}" to "rwxr
 find . -type d -not -path "./sites/*/files" ! -name . -exec chmod u=rwx,g=rx,o= '{}' +
 chmod u=rwx,g=rx,o= $drupal_path
 
-printf "Changing permissions of "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
+printf "Changing permissions of files directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
 
 cd sites
 
 # Todo: Ask drush where the files are and set the perms there.
-printf "Changing permissions of all files inside all "files" directories in "${drupal_path}/sites" to "rw-rw----"...\n" && \
-printf "Changing permissions of all directories inside all "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n" && \
+printf "Changing permissions of all files inside all files directories in "${drupal_path}/sites" to "rw-rw----"...\n" && \
+printf "Changing permissions of all directories inside all files directories in "${drupal_path}/sites" to "rwxrwx---"...\n" && \
 for x in ./*/files; do
   find ${x} -type d -exec chmod ug=rwx,o= '{}' +
   # Don't need to set non-directory perms as they're already set above.
 done
 
+
+# Set permissions on private files path.
+# Ask drush where the files directories are.
+cd $drupal_path
+if [ "$private_files_path" ] && [ -d "$private_files_path" ] && [[ "$private_files_path" == /var/www/* ]]; then
+  chown -R ${drupal_user}:${httpd_group} ${private_files_path} &
+  printf "Changing permissions of all files inside private files directory ${private_files_path} to rw-rw----...\n" && \
+  printf "Changing permissions of private files directory and all directories inside ${private_files_path} to rwxrwx---...\n" && \
+  chmod u=rwx,g=rwx,o= ${private_files_path}
+  find ${private_files_path} -type d -exec chmod u=rwx,g=rwx,o= '{}' +
+  find ${private_files_path} -not -type d -exec chmod u=rw,g=rw,o= '{}' +
+  # Restore SELinux modes for private files directory.
+  command_exists restorecon && \
+    printf "Restoring SeLinux file contexts for ${private_files_path}, please wait...\n" && \
+    restorecon -RF ${private_files_path} &
+fi
+
+
 # Check permissions for supporting directories.
 if [ "$dversion" -eq 7 ] && [ -d "${drupal_path}/sites/all/vendor/bin" ]; then
-  printf "Changing permissions of "vendor/bin" directories in "${drupal_path}/sites/all/vendor/bin" to "u+x"...\n" && \
+  printf "Changing permissions of vendor/bin directories in "${drupal_path}/sites/all/vendor/bin" to "u+x"...\n" && \
   chmod -R u+x ${drupal_path}/sites/all/vendor/bin &
 fi