From 37b705a0d678403b08fe89bb547917b886470837 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Wed, 28 Mar 2018 14:59:27 -0700 Subject: [PATCH] CRM_Utils_Check_Component_Env - Soften messages for read-only extDir There are competing schools of thought on whether extension folders should be web-writable: * Sometimes, the most active (or the only) admins are web-based. Making the folder writeable lets them keep extensions up-to-date through the web UI. This includes applying security-fixes for extensions. Thus, sites with writeable extdir are harder to attack (more secure). * Sometimes, the most active (or the only) admins don't use the web-based admin UI, and they don't trust any web-based users to do administration. They don't want the folder to be writeable. * If there's a flaw that allows writing to the filesystem, it could be escalated to writing+executing code. Thus, sites with read-only extdir are harder to attack (more secure). This commit tries to accept each scenario as valid -- but communicate better. Instead of flatly describing the read-only dir as erroreous, present a warning with some choice/trade-off. --- CRM/Utils/Check/Component/Env.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CRM/Utils/Check/Component/Env.php b/CRM/Utils/Check/Component/Env.php index ee1da2aed8..4b9cfd3965 100644 --- a/CRM/Utils/Check/Component/Env.php +++ b/CRM/Utils/Check/Component/Env.php @@ -581,10 +581,10 @@ class CRM_Utils_Check_Component_Env extends CRM_Utils_Check_Component { elseif (!is_writable($basedir)) { $messages[] = new CRM_Utils_Check_Message( __FUNCTION__, - ts('Directory %1 is not writable. Please change your file permissions.', + ts('Your extensions directory (%1) is read-only. If you would like perform downloads or upgrades, then change the file permissions.', array(1 => $basedir)), - ts('Directory not writable'), - \Psr\Log\LogLevel::ERROR, + ts('Read-Only Extensions'), + \Psr\Log\LogLevel::WARNING, 'fa-plug' ); return $messages; -- 2.25.1