add peppermint_json_perms setting to auto chmod peppermint.json on save

build.php

@@ -27,7 +27,7 @@ $modules = glob("modules/*.php");
 $module_index = [];
 // Defined just in case a module needs to reference them when we require() them
 // to gain information
-$env = $paths = new stdClass();
+$env = new stdClass(); $paths = new stdClass();
 $paths->extra_data_directory = "build/._extra_data";
 
 /**

core/01-settings.fragment.php

@@ -37,7 +37,8 @@ if(!file_exists($settingsFilename)) {
 	// Copy the default settings over to the main settings array
 	foreach ($guiConfig as $key => $value)
 		$settings->$key = $value->default;
-	if(file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT)) === false) {
+	// From below if statement: file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT))
+	if(save_settings() === false) {
 		http_response_code(503);
 		header("content-type: text/plain");
 		exit("Oops! It looks like $settings->sitename wasn't able to write peppermint.json to disk.\nThis file contains all of $settings->sitename's settings, so it's really important!\nHave you checked that PHP has write access to the directory that index.php is located in (and all it's contents and subdirectories)? Try\n\nsudo chown USERNAME:USERNAME -R path/to/directory\n\nand\n\nsudo chmod -R 0644 path/to/directory;\nsudo chmod -R +X path/to/directory\n\n....where USERNAME is the username that the PHP process is running under.");
@@ -68,8 +69,10 @@ if(!property_exists($settings, "secret")) {
 	$settings->secret = bin2hex(random_bytes(16));
 	$settings_upgraded = true;
 }
-if($settings_upgraded)
-	file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
+if($settings_upgraded) {
+	save_settings();
+	// file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
+}
 
 // If:
 // * The first-run wizard hasn't been completed
@@ -80,7 +83,8 @@ if($settings_upgraded)
 // Note we added this additional specific check because in Docker containers we recommend that firstrun_complete be manually preset to false, which would previously get autset to true as we thought it was a pre-existing wiki when it isn't! Note also we don't yet have access to the pageindex at this stage, so we can't check that either.
 if(!$settings->firstrun_complete && $settings_upgraded && $did_upgrade_firstrun_key) {
 	$settings->firstrun_complete = true;
-	file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
+	save_settings();
+	// file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
 }
 
 // Insert the default CSS if requested

core/05-functions.php

@@ -724,11 +724,23 @@ function minify_css(string $css_str) : string {
 /**
  * Saves the settings file back to peppermint.json.
  * @package	core
+ * @param	stdObject	[$new_settings=null]	A new settings object to REPLACE the old one with - use with extreme care! A value of null (default) indicates that the existing global $settings object will be saved.
  * @return	bool	Whether the settings were saved successfully.
  */
-function save_settings() {
+function save_settings($new_settings=null, $filepath=null) {
 	global $paths, $settings;
-	return file_put_contents($paths->settings_file, json_encode($settings, JSON_PRETTY_PRINT)) !== false;
+	$result = file_put_contents(
+		isset($paths->settings_file) ? $paths->settings_file : "peppermint.json",
+		json_encode(
+			$new_settings == null ? $settings : $new_settings,
+		JSON_PRETTY_PRINT)
+	) !== false;
+	if($settings->peppermint_json_perms !== null) {
+		$perms = octdec($settings->peppermint_json_perms);
+		if(!chmod($paths->settings_file, $perms))
+			error_log("Warning: Failed to chmod peppermint.json at {$paths->settings_file}"); // Complain about inability to chmod but don't claim we can't save
+	}
+	return $result;
 }
 /**
  * Save the page index back to disk, respecting $settings->minify_pageindex

modules/feature-guiconfig.php

@@ -196,7 +196,8 @@ SCRIPT;
 			// Take a backup of the current settings file
 			rename($paths->settings_file, "$paths->settings_file.bak");
 			// Save the new settings file
-			file_put_contents($paths->settings_file, json_encode($newSettings, JSON_PRETTY_PRINT));
+			save_settings($newSettings);
+			// file_put_contents($paths->settings_file, json_encode($newSettings, JSON_PRETTY_PRINT));
 			
 			$content = "<h1>Master settings updated successfully</h1>\n";
 			$content .= "<p>$settings->sitename's master settings file has been updated successfully. A backup of the original settings has been created under the name <code>peppermint.json.bak</code>, just in case. You can <a href='?action=configure'>go back</a> and continue editing the master settings file, or you can go to the <a href='?action=view&page=" . rawurlencode($settings->defaultpage) . "'>" . htmlentities($settings->defaultpage) . "</a>.</p>\n";

modules/page-login.php

@@ -238,7 +238,7 @@ function do_password_hash_code_update() {
 		$settings->password_cost = $new_cost;
 	// Save the current time in the settings
 	$settings->password_cost_time_lastcheck = time();
-	file_put_contents($paths->settings_file, json_encode($settings, JSON_PRETTY_PRINT));
+	save_settings();
 }
 
 /**

peppermint.guiconfig.json

@@ -270,6 +270,7 @@
 	"sessionlifetime": { "type": "number", "description": "Again, you shouldn't need to change this under normal circumstances. This setting controls the lifetime of a login session. Defaults to 24 hours, but it may get cut off sooner depending on the underlying PHP session lifetime.", "default": 86400 },
 	"cookie_secure": { "type": "text", "description": "Whether to set the 'Secure' flag on all cookies. This prevents cookies from being transmitted over an unencrypted connection. Default: auto (sets the flag if HTTPS is detected). Other possible values: false (the flag is never set), true (the flag will always be set, regardless of whether HTTPS is detected or not)", "default": "auto" },
 	"disable_peppermint_access_check": { "type": "checkbox", "description": "Disables the access check for peppermint.json on first-run. <strong>VERY DANGEROUS</strong>. Use only for development. Note that it's recommend to block access to peppermint.json for a reason - it contains your site secret and password hashes, so an attacker could do all <em>sorts</em> of nefarious things if it's left unblocked.", "default": false },
+	"peppermint_json_perms": { "type": "text", "description": "The permissions to chmod peppermint.json to after saving it. Defaults to null, which means do not alter permissions. String must be a linux octal string with a leading 0: for example 0640. WARNING: Do <strong>NOT</strong> mark peppermint.json as 0777 - this is very insecure! Generally 0660, 0640, and 0600 work well for most purposes. Do not edit this setting unless you know what you're doing!", "default": null },
 	"css_theme_autoupdate_url": { "type": "url", "description": "A url that points to the css theme file to check for updates. If blank, then automatic updates are disabled.", "default": "" },
 	"css_theme_autoupdate_interval": { "type": "number", "description": "The interval, in seconds, that updates to the theme should be checked for. Defaults to every week. A value of -1 disables automatic updates.", "default": 604800 },
 	"css_theme_autoupdate_lastcheck": { "type": "number", "description": "The timestamp of the last time that updates for the selected theme were last checked for. To disable automatic updates, you should set <code>css_theme_autoupdate_interval</code> to <code>-1</code> instead of changing this setting.", "default": 0 },