Add Ansible role to fix Drupal file permissions

Add a new `drupal-permissions` Ansible role that resets the file and directory permissions to match the ones described in https://www.drupal.org/node/244924. This will later be released to Ansible Galaxy, but for now it will remain in this repository until the required changes are made and the appropriate documentation is added. Fixes #191
2020-09-04 20:19:00 +01:00 · 2020-09-04 20:19:00 +01:00 · 1781a2cf01
parent 9b26d772a8
commit 1781a2cf01
5 changed files with 44 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,7 +12,7 @@
 !/phpunit.xml.dist
 !/scripts/
 !/slides/
-!/tools/
+!/tools/**
 !/web/modules/custom/**
 !/web/sites/default/environments/settings.*.php
 !/web/sites/default/settings.php
--- a/tools/ansible/deploy/after-symlink-shared.yml
+++ b/tools/ansible/deploy/after-symlink-shared.yml
@ -1,10 +0,0 @@
---
- name: Setup directory permissions for files directories
-  become: true
-  file:
-    path: '{{ ansistrano_shared_path }}/{{ project_web_dir }}/sites/default/files'
-    state: directory
-    owner: www-data
-    group: root
-    mode: u=rwx,g=rw,o=
-    recurse: true
--- a/tools/ansible/deploy/after-update-code.yml
+++ b/tools/ansible/deploy/after-update-code.yml
@ -9,6 +9,10 @@
  include_role:
    name: opdavies.drupal_settings_files

+- name: Fix file permissions
+  include_role:
+    name: drupal-permissions
+
 - name: Clear Drush cache
  command: >
    {{ release_drush_path }}
--- a/tools/ansible/roles/drupal-permissions/tasks/main.yml
+++ b/tools/ansible/roles/drupal-permissions/tasks/main.yml
@ -0,0 +1,29 @@
+---
+- name: Set the permissions for each Drupal root directory.
+  file:
+    group: www-data
+    mode: ug=rX,o=
+    owner: "{{ drupal_permissions.user }}"
+    path: "{{ item.root }}"
+    recurse: true
+    state: directory
+  with_items: "{{ drupal_permissions.sites }}"
+
+- name: Set permissions for the defined settings files.
+  file:
+    mode: a-X
+    path: "{{ item.0.root }}/{{ item.1 }}"
+    state: file
+  with_subelements:
+    - "{{ drupal_permissions.sites }}"
+    - settings_files
+
+- name: Set permissions for the defined files directories.
+  file:
+    mode: ug=rwX,o=
+    path: "{{ item.0.root }}/{{ item.1 }}"
+    recurse: true
+    state: directory
+  with_subelements:
+    - "{{ drupal_permissions.sites }}"
+    - files_directories
--- a/tools/ansible/vars/deploy_vars.yml
+++ b/tools/ansible/vars/deploy_vars.yml
@ -9,7 +9,6 @@ ansistrano_shared_paths:
  - '{{ project_web_dir }}/sites/default/files'

 # Hooks
-ansistrano_after_symlink_shared_tasks_file: '{{ playbook_dir }}/deploy/after-symlink-shared.yml'
 ansistrano_after_update_code_tasks_file: '{{ playbook_dir }}/deploy/after-update-code.yml'
 ansistrano_before_symlink_tasks_file: '{{ playbook_dir }}/deploy/before-symlink.yml'

@ -21,6 +20,16 @@ release_drush_path: '{{ ansistrano_release_path.stdout }}/vendor/bin/drush'
 release_web_path: '{{ ansistrano_release_path.stdout }}/{{ project_web_dir }}'
 release_theme_path: '{{ release_web_path }}/themes/custom/opdavies'

+drupal_permissions:
+  sites:
+    - root: "{{ release_web_path }}"
+      files_directories:
+        - sites/default/files
+      settings_files:
+        - sites/default/settings.php
+        - sites/default/settings.local.php
+  user: root
+
 drupal_settings:
  - drupal_root: '{{ release_web_path }}'
    sites: