shopware: WebInstaller does not work for Subdirectory Installation if another Shopware 6 or any corrupt `composer.lock` file already exists in parent directory

PHP Version

8.2

Shopware Version

6.0+

Expected behaviour

The new WebInstaller should be able to install a new Shopware 6 Instance in a subdirectory, even if there already exists a shopware installation in the parent directory

Actual behaviour

If there already exists a Shopware 6, or any other Composer Project, installation in the parent directory the WebInstaller will instead overwrite/update the already existing installation

How to reproduce

Set up a new Shopware 6 Installation with project Dir /var/www/mywebsite.com/ and docroot /var/www/mywebsite.com/public

Then try to install another Shopware Installation with project Dir /var/www/mywebsite.com/staging and document root /var/www/mywebsite.com/staging/public

The WebInstaller will then pick /var/www/mywebsite.com/staging as the $project_dir and check for a composer.lock inside /var/www/mywebsite.com/ which already exists and then proceed to update this installation instead.

A possible workaround would be something like:

diff --git a/src/WebInstaller/src/Services/RecoveryManager.php b/src/WebInstaller/src/Services/RecoveryManager.php
index 7b6feb6718..ade94f0f2f 100644
--- a/src/WebInstaller/src/Services/RecoveryManager.php
+++ b/src/WebInstaller/src/Services/RecoveryManager.php
@@ -41,11 +41,14 @@ class RecoveryManager
         $projectDir = $this->getProjectDir();
 
         $composerLookups = [
-            \dirname($projectDir) . '/composer.lock',
             $projectDir . '/composer.lock',
             $projectDir . '/shopware/composer.lock',
         ];
 
+       if ( basename($projectDir) == "public" ) {
+               $composerLookups[] = \dirname($projectDir) . '/composer.lock';
+       }
+
         foreach ($composerLookups as $composerLookup) {
             if (file_exists($composerLookup)) {
                 /** @var array{packages: array{name: string, version: string}[]} $composerJson */

As far as I can tell a user is not supposed to run the installer from inside the public directory, so I’m not sure if the check for the parent directory is necessary at all. And if the user is supposed to run the Installer from inside the public directory it should not create another public directory during installation.

Installing the second Shopware 6 instance inside the public directory is also not desirable as that would expose sensitive files to a regular user.

If I’m missing something please let me know, as installing Shopware into a subdirectory is a rather common use-case for us.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Limiting everything to the public folder would also simplify the nginx configuration as there is no need for another location with a different docroot for just the phar and a user would not need to switch the docroot after installation.

Adding the two /dirname calls to the InstallController.php seems to do just that, however as I’m not too familiar with the rest of the code and did not extensively test it there might be problems with it or there exists a different better solution

+1
jr-timme on Apr 27, 2023
Read more comments on GitHub
← shopware: NEXT-6651 - Using remote filesystem breaks frontend and backend
ddc.vim: msgpack TimeoutErrors →