search

bovigo / vfsStream

vfsStream is a stream wrapper for a virtual file system that may be helpful in unit tests to mock the real file system. It can be used with any unit test framework, like PHPUnit or SimpleTest.
BSD 3-Clause "New" or "Revised" License
1.42k stars 102 forks source link

touch() ignores permissions of existing objects #280

Closed hschletz closed 10 months ago

hschletz commented 2 years ago

touch() checks permissions only when it creates a new file (see also #107). Touching an existing object succeeds even when its permissions should not allow to:

$root = vfsStream::setup('root');
$file = vfsStream::newFile('test', 0)->at($root);
var_dump(touch($file->url())); // Should be FALSE and issue a warning, but actually succeeds

vfsStreamWrapper::stream_metadata() does not implement any permission checks.

mikey179 commented 10 months ago

touch()is an operation within the directory as it changes the contents of the directory, and as such only permissions of the directory are relevant for this operation. You can try this yourself in a terminal of your choice:

➜  ~ mkdir foo
➜  ~ cd foo 
➜  foo ls -l
total 0
➜  foo touch example.txt
➜  foo chmod 000 example.txt 
➜  foo ls -l
total 0
----------  1 mikey  staff     0B 26 Jan 19:12 example.txt
➜  foo touch example.txt
➜  foo ls -l         
total 0
----------  1 mikey  staff     0B 26 Jan 19:13 example.txt

As you can see, touch changed the timestamp of the file - even though there are no permissions for this file. This is due to the fact that touch is a write operation on the contents of the directory, and not on the file itself.