Composer autoloader patch was added to app/Mage.php #3216
Conversation
|
Tested:
@sreichel @Flyingmana Are you aware of any production setups that use the "vendor-dir" option and what the reasons are for it? It'd be great if this was a MINOR update as although it is not a huge issue, it is pretty annoying. But if there are people using "vendor-dir" maybe it should be MAJOR to be safe. In such cases setting the |
|
only in very few cases, and then I think to have it outside the root directory. I dont think its a notable number, and they could use the patch functionality for it |
|
Is that the purpose of the check for '../vendor' to cover users who set the vendor-dir to the parent? It seems that is a minor security concern for if a user was using the parent path but a hacker could create |
|
@Flyingmana they should be able to set the |
No, im not. I still we coukd keep the option to set custom vendor dir in composer.json. |
|
you can customise it in the composer.json, you'll just have to add the COMPOSER_VENDOR_PATH env variable or repatch Mage.php |
If imho ... this fixes something, that is not broken :/ |
|
@colinmollenhour the idea was yours (I just turned it into a PR), I support it and it has 2 other positive reviews, what are we doing? |
A user could also skip the env variable and create I think environment variables are the most broadly supported and widely used way of handling this type of thing.
This is the best way I can come up with that doesn't add any security risk or require any modifications to the I'm sure everyone is happy to consider alternative propsoals, but it seems many also agree that having a default way to include the composer autoloader without modifying core files now that composer is a requirement of the project just makes sense. Please let us know if you still have any objections and/or proposal for an alternative. |
fballiano
changed the title
|
I merged it, everything can be changed anyway, in case a better solution comes ahead. |
|
So I had never tried the composer way to install OpenMage, I always just used git clone.. Now I see that even our default install procedure puts the vendor path above the /** AUTOLOADER PATCH **/
$autoloaderPath = getenv('COMPOSER_VENDOR_PATH');
if (!$autoloaderPath) {
$autoloaderPath = dirname(BP) . DS . 'vendor');
if (!is_dir($autoloaderPath)) {
$autoloaderPath = BP . DS . 'vendor';
}
}
require $autoloaderPath;
/** AUTOLOADER PATCH **/I'll open a new PR.. |
|
You did Check with the Implementation to check If the Patch is already
applied?
https://github.com/Cotya/magento-composer-installer/blob/ece5cc5bb2a0150a743619901543036597f9eb5b/src/MagentoHackathon/Composer/Magento/Patcher/Bootstrap.php#L97
|
Yes, that part was tested and works fine. One goal was to avoid requiring changes to that library to keep it simple. What was not tested was installing with a core installer like |
There were multiple discussions about this but they're kinda lost all over the repository and kinda, what about we gather them here?
This PR is born from the last comments to #2791 and it is based on the last @colinmollenhour suggestions and allows for a configurable vendor folder, which should solve everybody's problem?