Add writable_acl_force to force ACL reset on writable dirs (#4140)

ianbeu · Ian Beuchel · Copilot · web-flow · commit f8a4af51bf34 · 2025-12-08T11:51:15.000+01:00
* Add writable_acl_force to force ACL reset on writable dirs

* Update recipe/deploy/writable.php

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Improve writable_acl_force setting documentation

---------

Co-authored-by: Ian Beuchel &lt;ian@planbar.app&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 .phpunit.result.cache
 docker-compose.override.yml
 .php-cs-fixer.cache
+.idea/
diff --git a/docs/recipe/deploy/writable.md b/docs/recipe/deploy/writable.md
@@ -98,11 +98,21 @@ List of additional groups to give write permission to.
 
 
 
+### writable_acl_force
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65)
+
+Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions.
+
+```php title="Default value"
+false
+```
+
+
 
 ## Tasks
 
 ### deploy\:writable {#deploy-writable}
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L65)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/writable.php#L68)
 
 Makes writable dirs.
 
diff --git a/recipe/deploy/writable.php b/recipe/deploy/writable.php
@@ -61,6 +61,9 @@
 // List of additional groups to give write permission to.
 set('writable_acl_groups', []);
 
+// Force ACLs to be reapplied even if they already exist. Useful when recursive ACLs need to reach new nested paths but sudo isn't available. Slower, so enable only to fix writable dir permissions.
+set('writable_acl_force', false);
+
 desc('Makes writable dirs');
 task('deploy:writable', function () {
     $dirs = join(' ', get('writable_dirs'));
@@ -121,14 +124,16 @@
             if (empty($sudo)) {
                 // When running without sudo, exception may be thrown
                 // if executing setfacl on files created by http user (in directory that has been setfacl before).
-                // These directories/files should be skipped.
-                // Now, we will check each directory for ACL and only setfacl for which has not been set before.
+                // These directories/files should be skipped unless forcing ACL reset.
+                // Now, we will check each directory for ACL and only setfacl for which has not been set before,
+                // unless writable_acl_force is enabled.
                 $writeableDirs = get('writable_dirs');
+                $forceAcl = get('writable_acl_force');
                 foreach ($writeableDirs as $dir) {
                     // Check if ACL has been set or not
                     $hasfacl = run("getfacl -p $dir | grep \"^user:$httpUser:.*w\" | wc -l");
-                    // Set ACL for directory if it has not been set before
-                    if (!$hasfacl) {
+                    // Set ACL for directory if it has not been set before or if forcing ACL reset
+                    if ($forceAcl || !$hasfacl) {
                         run("setfacl -L $recursive $setFaclUsers $setFaclGroups $dir");
                         run("setfacl -dL $recursive $setFaclUsers $setFaclGroups $dir");
                     }
