Skip to content

[GOVCMSCT2-121] CT PORT - Fast fact card #1402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 20 commits into
base: develop
Choose a base branch
from
Open

[GOVCMSCT2-121] CT PORT - Fast fact card #1402

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
9a257a1
[GOVCMSCT2-121] Added fact fact related fields and configuration and …
joshua-salsadigital Jul 25, 2025
006540b
Added config missign files.
joshua-salsadigital Jul 25, 2025
c9996b7
Fixed config related issue.
joshua-salsadigital Jul 25, 2025
bb9b364
[GOVCMSCT2-121] Fixed behat test.
joshua-salsadigital Jul 25, 2025
cf7d57f
[GOVCMSCT2-121] Updated machine name to civictheme_fast_fact_card.
joshua-salsadigital Jul 30, 2025
af9ecdc
[GOVCMSCT2-121] Added post update hook for civictheme_fast_fact_card.
joshua-salsadigital Jul 30, 2025
61dc9cc
[GOVCMSCT2-121] Fixed lint issue.
joshua-salsadigital Jul 30, 2025
ac0c3a1
[GOVCMSCT2-121] Fixed lint issue.
joshua-salsadigital Jul 30, 2025
29e985d
Merge branch 'develop' into feature/GOVCMSCT2-121
joshua-salsadigital Aug 14, 2025
76a1c3b
CivicTheme implementation to display a Fast Fact card. and bumped the…
joshua-salsadigital Aug 14, 2025
5c7b4f5
Updated behat test.
joshua-salsadigital Aug 14, 2025
6e76c02
Fixed Failing test.
joshua-salsadigital Aug 15, 2025
c8d8a55
Merge branch 'develop' into feature/GOVCMSCT2-121
joshua-salsadigital Aug 25, 2025
8b56da4
Merge branch 'develop' into feature/GOVCMSCT2-121
joshua-salsadigital Sep 3, 2025
5d08d07
Add Quant Cloud migration configuration
stooit Sep 14, 2025
15bd089
Add Quant Cloud migration configuration
stooit Sep 25, 2025
07daef1
Merge branch 'develop' into feature/GOVCMSCT2-121
joshua-salsadigital Oct 3, 2025
f966a90
Fixed quant merge conflict - diff-e65288356485a0927532b70464ad2d038d…
joshua-salsadigital Oct 3, 2025
406439c
Merge branch 'develop' into feature/GOVCMSCT2-121
richardgaunt Oct 8, 2025
a022720
Merge branch 'develop' into feature/GOVCMSCT2-121
joshua-salsadigital Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .docker/cli.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,3 +110,4 @@ RUN cd /app/web/themes/contrib/civictheme \
# Compile sub-theme assets.
RUN npm --prefix web/themes/custom/civictheme_demo install --no-audit --no-progress --unsafe-perm \
&& cd /app/web/themes/custom/civictheme_demo && npm run build
COPY .docker/entrypoints/cli/* /quant-entrypoint.d/
23 changes: 23 additions & 0 deletions .docker/config/nginx/location_drupal_prepend_host.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Set HTTP_HOST for PHP using canonical host from CDN headers
# Priority: HTTP_QUANT_ORIG_HOST > HTTP_X_FORWARDED_HOST > original Host header (preserving port)

# Default to the incoming Host header so non-standard ports stay intact (e.g. :8080)
set $final_host $http_host;

# Use X-Forwarded-Host when provided (reverse proxies)
if ($http_x_forwarded_host != "") {
set $final_host $http_x_forwarded_host;
}

# Override with Quant-Orig-Host when available
if ($http_quant_orig_host != "") {
set $final_host $http_quant_orig_host;
}

# Extract first host from comma-separated X-Forwarded-Host values
if ($final_host ~ "^([^,\s]+)") {
set $final_host $1;
}

# Always pass the calculated host; without override it matches the original Host header
fastcgi_param HTTP_HOST $final_host;
Comment on lines 7 to 23
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Don't trust raw X-Forwarded-Host (host‑header injection risk).

Any client can send an X-Forwarded-Host header when hitting the origin directly. With this block we now overwrite HTTP_HOST for PHP with that value, effectively reviving classic host-header attacks (poisoned absolute URLs, password-reset links, cache poisoning, etc.). Unless we positively identify and trust the intermediary that injected the header (e.g., by IP allowlisting or a signed header), we must not consume it blindly.

Please either remove this fallback or constrain it to a vetted allowlist/sanitised value before passing it to PHP. At minimum, drop the direct assignment shown below until a trust mechanism is implemented.

-# Use X-Forwarded-Host when provided (reverse proxies)
-if ($http_x_forwarded_host != "") {
-    set $final_host $http_x_forwarded_host;
-}
🤖 Prompt for AI Agents 
In .docker/config/nginx/location_drupal_prepend_host.conf around lines 7-23, the
current logic blindly uses X-Forwarded-Host (and Quant-Orig-Host) to set
HTTP_HOST which introduces host‑header injection risks; remove the unconditional
override and instead only set $final_host from forwarded headers when the
request comes from a trusted intermediary (e.g., check remote_addr against a
proxy allowlist) or when the forwarded value matches an allowed/validated
hostname pattern or explicit whitelist, otherwise fall back to the original
$host; do not pass unvalidated forwarded headers to fastcgi_param HTTP_HOST
until you implement IP allowlisting or strict hostname validation.

52 changes: 52 additions & 0 deletions .docker/entrypoints/cli/00-fix-permissions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/bin/sh
set -e

# Fix EFS volume permissions based on lagoon.persistent labels
#
# Two approaches based on container configuration:
# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility

echo "Fixing file permissions for EFS volumes..."

# Check if containers have been configured with UID/GID remapping
if [ -n "$VOLUME_USER" ]; then
echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
echo " (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
PERMISSION_MODE="secure"
else
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
Comment on lines 18 to 21
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Gate world-writable fallback.

Avoid enabling 777/666 unless explicitly approved for the environment.

-    PERMISSION_MODE="compatible"
+    PERMISSION_MODE="compatible"
+    if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
+      echo "   Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
+      exit 0
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
echo " Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
exit 0
fi
fi
🤖 Prompt for AI Agents 
.docker/entrypoints/cli/00-fix-permissions.sh around lines 18-21: the script
currently falls back to world-writable permissions unconditionally; change it to
require an explicit opt-in (e.g., ALLOW_WORLD_WRITABLE=true) before setting
PERMISSION_MODE="compatible", otherwise set a safer default (e.g., "restricted"
or specific 0755/0644) and emit a clear warning or fail fast; implement a simple
conditional that checks the opt-in environment variable, documents the behavior
in the log messages, and avoid applying 0777/0666 unless the opt-in flag is
present.


# Persistent volume paths from docker-compose lagoon.persistent labels
for path in "/app/web/sites/default/files/"; do
if [ -d "$path" ]; then
echo "Fixing permissions for: $path"

if [ "$PERMISSION_MODE" = "secure" ]; then
# Set secure directory permissions (755 = rwxr-xr-x)
find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true

# Set secure file permissions (644 = rw-r--r--)
find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true

echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
else
# Compatible approach: World-writable fallback

# Make directories world-writable (since we can't chown to unknown web server user)
find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true

# Make files world-readable/writable (since we can't chown to unknown web server user)
find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true

echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
fi
else
echo "Path not found (may not be mounted yet): $path"
fi
done

echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"
7 changes: 7 additions & 0 deletions .docker/entrypoints/cli/01-show-drevops-variables.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/sh
set -e

# Post-rollout task: Show DrevOps variables.
# Generated from .lagoon.yml

env -0 | sort -z | tr '\0' '\n' | grep ^DREVOPS_ || true
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid GNU-only flags; add portable fallback.

env -0 and sort -z aren’t available in BusyBox/Alpine by default; with set -e this may silently noop or fail.

-env -0  | sort -z | tr '\0' '\n' | grep ^DREVOPS_ || true
+if env -0 >/dev/null 2>&1; then
+  env -0 | tr '\0' '\n' | sort | grep '^DREVOPS_' || true
+else
+  printenv | sort | grep '^DREVOPS_' || true
+fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
env -0 | sort -z | tr '\0' '\n' | grep ^DREVOPS_ || true
if env -0 >/dev/null 2>&1; then
env -0 | tr '\0' '\n' | sort | grep '^DREVOPS_' || true
else
printenv | sort | grep '^DREVOPS_' || true
fi
🤖 Prompt for AI Agents 
In .docker/entrypoints/cli/01-show-drevops-variables.sh around line 7, the
pipeline uses GNU-only flags env -0 and sort -z which are missing on
BusyBox/Alpine; replace it with a portable implementation that first attempts
the null-delimited approach if available and otherwise falls back to a
POSIX-safe pipeline. Concretely, detect/support env -0 and sort -z (e.g., test
sort --version or attempt a harmless invocation) and use them when present;
otherwise use env | sort | grep '^DREVOPS_' || true so the script works on
minimal shells and still honors set -e by ensuring the final command never
fails.

11 changes: 11 additions & 0 deletions .docker/entrypoints/cli/02-notify-about-pre-deployment.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/sh
set -e

# Post-rollout task: Notify about pre-deployment.
# Generated from .lagoon.yml

if [ -n "$LAGOON_PR_NUMBER" ]; then export DREVOPS_NOTIFY_REF=$LAGOON_PR_NUMBER;export DREVOPS_NOTIFY_SHA=${LAGOON_PR_HEAD_SHA#origin/};export DREVOPS_NOTIFY_BRANCH=$LAGOON_PR_HEAD_BRANCH;else export DREVOPS_NOTIFY_REF=$LAGOON_GIT_BRANCH;export DREVOPS_NOTIFY_SHA=$LAGOON_GIT_SHA;export DREVOPS_NOTIFY_BRANCH=$LAGOON_GIT_BRANCH;fi
DREVOPS_NOTIFY_PROJECT=$LAGOON_PROJECT \
DREVOPS_NOTIFY_ENVIRONMENT_URL=$LAGOON_ROUTE \
DREVOPS_NOTIFY_EVENT=pre_deployment ./scripts/drevops/notify.sh || true

40 changes: 40 additions & 0 deletions .docker/entrypoints/cli/03-provision-site.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#!/bin/sh
set -e

# Post-rollout task: Provision site
# Generated from .lagoon.yml
# COMMENTED OUT: This script contains rsync commands that won't work in Quant Cloud

# if [ "$LAGOON_ENVIRONMENT_TYPE" = "production" ] || [ "$LAGOON_GIT_BRANCH" = "${DREVOPS_LAGOON_PRODUCTION_BRANCH:-main}" ]; then
# echo "==> Running in PRODUCTION environment."
# # Never unblock admin user in production.
# export DRUPAL_UNBLOCK_ADMIN=0
# # Never sanitize DB in production.
# export DREVOPS_PROVISION_SANITIZE_DB_SKIP=1
# fi
#
# # Deployments from UI are not able to bypass the value of
# # DREVOPS_PROVISION_OVERRIDE_DB set by the deploy-lagoon.sh
# # during previous deployments (it sets value to '0' to mitigate Lagoon bug
# # where environment variables cannot be deleted and have to be set to a value).
# # @see https://github.com/uselagoon/lagoon/issues/1922
# # Explicitly set DB overwrite flag to the value from .env file for
# # deployments from the profile.
# if [ "${DREVOPS_PROVISION_USE_PROFILE}" = "1" ]; then
# export DREVOPS_PROVISION_OVERRIDE_DB="$(cat .env | grep ^DREVOPS_PROVISION_OVERRIDE_DB | cut -c31-)"
# fi
# ./scripts/drevops/provision.sh

# NOTE: This provision script has been disabled because:
# - rsync commands try to connect to Lagoon SSH which is not available in Quant Cloud
# - Use DREVOPS_PROVISION_SKIP=1 environment variable to skip provision steps

# Delegate Drupal provisioning to the Quant-aware script. The standard
# DrevOps provision script is not compatible with Quant Cloud because it relies
# on Lagoon-specific tooling (e.g., rsync to Lagoon SSH).
if [ -x "./scripts/quant/provision-quant.sh" ]; then
./scripts/quant/provision-quant.sh
else
echo "Quant provisioning script missing or not executable." >&2
exit 1
fi
12 changes: 12 additions & 0 deletions .docker/entrypoints/cli/04-send-deployment-notifications.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/sh
set -e

# Post-rollout task: Send deployment notifications
# Generated from .lagoon.yml

if [ -n "$LAGOON_PR_NUMBER" ]; then export DREVOPS_NOTIFY_REF=$LAGOON_PR_NUMBER; export DREVOPS_NOTIFY_SHA=${LAGOON_PR_HEAD_SHA#origin/}; export DREVOPS_NOTIFY_BRANCH=$LAGOON_PR_HEAD_BRANCH; else export DREVOPS_NOTIFY_REF=$LAGOON_GIT_BRANCH; export DREVOPS_NOTIFY_SHA=$LAGOON_GIT_SHA; export DREVOPS_NOTIFY_BRANCH=$LAGOON_GIT_BRANCH; fi
DREVOPS_NOTIFY_EVENT=post_deployment \
DREVOPS_NOTIFY_PROJECT=$LAGOON_PROJECT \
DREVOPS_NOTIFY_ENVIRONMENT_URL=$LAGOON_ROUTE \
./scripts/drevops/notify.sh

52 changes: 52 additions & 0 deletions .docker/entrypoints/nginx/00-fix-permissions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/bin/sh
set -e

# Fix EFS volume permissions based on lagoon.persistent labels
#
# Two approaches based on container configuration:
# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility

echo "Fixing file permissions for EFS volumes..."

# Check if containers have been configured with UID/GID remapping
if [ -n "$VOLUME_USER" ]; then
echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
echo " (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
PERMISSION_MODE="secure"
else
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
Comment on lines 18 to 21
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Gate world-writable fallback.

Same security concern as PHP entrypoint; require explicit ALLOW_WORLD_WRITABLE=1.

-    PERMISSION_MODE="compatible"
+    PERMISSION_MODE="compatible"
+    if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
+      echo "   Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
+      exit 0
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
echo " Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
exit 0
fi
fi
🤖 Prompt for AI Agents 
In .docker/entrypoints/nginx/00-fix-permissions.sh around lines 18 to 21, the
script currently falls back to setting world-writable permissions when
VOLUME_USER is not set; replace this unconditional fallback with an explicit
gate that requires ALLOW_WORLD_WRITABLE=1 to proceed. If ALLOW_WORLD_WRITABLE is
not set or not equal to "1", emit a clear error message and exit (or set a safer
default permission mode), and only set PERMISSION_MODE="compatible" when
ALLOW_WORLD_WRITABLE=1 is present; keep the existing informational echoes but
include the requirement to opt-in via ALLOW_WORLD_WRITABLE.


# Persistent volume paths from docker-compose lagoon.persistent labels
for path in "/app/web/sites/default/files/"; do
if [ -d "$path" ]; then
echo "Fixing permissions for: $path"

if [ "$PERMISSION_MODE" = "secure" ]; then
# Set secure directory permissions (755 = rwxr-xr-x)
find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true

# Set secure file permissions (644 = rw-r--r--)
find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true

echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
else
# Compatible approach: World-writable fallback

# Make directories world-writable (since we can't chown to unknown web server user)
find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true

# Make files world-readable/writable (since we can't chown to unknown web server user)
find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true

echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
fi
else
echo "Path not found (may not be mounted yet): $path"
fi
done

echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"
52 changes: 52 additions & 0 deletions .docker/entrypoints/php/00-fix-permissions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/bin/sh
set -e

# Fix EFS volume permissions based on lagoon.persistent labels
#
# Two approaches based on container configuration:
# 1. VOLUME_USER set: Use secure permissions with UID/GID 1000 (requires container remapping)
# 2. VOLUME_USER unset: Fall back to world-writable (777/666) for compatibility

echo "Fixing file permissions for EFS volumes..."

# Check if containers have been configured with UID/GID remapping
if [ -n "$VOLUME_USER" ]; then
echo "🔒 VOLUME_USER detected: Using secure permissions with UID/GID 1000"
echo " (Assumes containers remap www-data to UID/GID 1000 for EFS compatibility)"
PERMISSION_MODE="secure"
else
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
Comment on lines 18 to 21
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

World-writable fallback needs an explicit opt-in.

777/666 on web writable dirs is risky in prod. Gate with an env flag.

-    PERMISSION_MODE="compatible"
+    PERMISSION_MODE="compatible"
+    if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
+      echo "   Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
+      exit 0
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
fi
echo "⚠️ VOLUME_USER not set: Using world-writable permissions for compatibility"
echo " (Consider setting VOLUME_USER and remapping container users to UID/GID 1000)"
PERMISSION_MODE="compatible"
if [ "${ALLOW_WORLD_WRITABLE:-0}" != "1" ]; then
echo " Skipping world-writable fallback (set ALLOW_WORLD_WRITABLE=1 to enable)."
exit 0
fi
fi
🤖 Prompt for AI Agents 
In .docker/entrypoints/php/00-fix-permissions.sh around lines 18 to 21, the
script currently falls back to world-writable permissions (777/666) when
VOLUME_USER is unset; change this so the world-writable fallback is only applied
when an explicit opt-in environment variable is set (e.g.,
VOLUME_ALLOW_WORLD_WRITABLE=true). Update the logic to: if VOLUME_USER unset
then check the opt-in flag — if opt-in is true set PERMISSION_MODE="compatible"
and print a clear warning that this is unsafe for production, otherwise set a
safer default (restrictive perms) and print an instruction message about setting
VOLUME_USER or enabling the opt-in flag; ensure the opt-in flag is documented in
the warning and exit logs remain informative.


# Persistent volume paths from docker-compose lagoon.persistent labels
for path in "/app/web/sites/default/files/"; do
if [ -d "$path" ]; then
echo "Fixing permissions for: $path"

if [ "$PERMISSION_MODE" = "secure" ]; then
# Set secure directory permissions (755 = rwxr-xr-x)
find "$path" -type d -exec chmod 755 {} + 2>/dev/null || true

# Set secure file permissions (644 = rw-r--r--)
find "$path" -type f -exec chmod 644 {} + 2>/dev/null || true

echo "✓ Secure permissions applied: $path (dirs: 755, files: 644)"
else
# Compatible approach: World-writable fallback

# Make directories world-writable (since we can't chown to unknown web server user)
find "$path" -type d -exec chmod 777 {} + 2>/dev/null || true

# Make files world-readable/writable (since we can't chown to unknown web server user)
find "$path" -type f -exec chmod 666 {} + 2>/dev/null || true

echo "✓ Compatible permissions applied: $path (dirs: 777, files: 666)"
fi
else
echo "Path not found (may not be mounted yet): $path"
fi
done

echo "Permission fixing completed for 1 volumes ($PERMISSION_MODE mode)"
5 changes: 4 additions & 1 deletion .docker/nginx-drupal.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,7 @@ ENV WEBROOT=${WEBROOT}

RUN apk add --no-cache tzdata

COPY --from=cli /app /app
# Copy custom nginx configuration for CDN header handling
COPY .docker/config/nginx/location_drupal_prepend_host.conf /etc/nginx/conf.d/drupal/
RUN chmod 0644 /etc/nginx/conf.d/drupal/location_drupal_prepend_host.conf
COPY --from=cli /app /app
1 change: 1 addition & 0 deletions .docker/php.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ FROM uselagoon/php-8.3-fpm:25.1.0
RUN apk add --no-cache tzdata

COPY --from=cli /app /app
COPY .docker/entrypoints/php/* /quant-entrypoint.d/
1 change: 1 addition & 0 deletions .dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ node_modules

# Do not ignore other required files.
!.docker/scripts
!.docker/entrypoints
!.docker/config
!.env
!.eslintrc.json
Expand Down
Loading