From 756ddb57654589960d8f2bd0ff592b08f5ecc99e Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Mon, 6 Apr 2026 16:39:55 +0200
Subject: [PATCH] fix: RateLimit graceful degradation on permission denied

Silence mkdir() with @ operator; guard file_put_contents with
is_writable() check. When storage/cache/rate_limit is not writable
by php-fpm, requests are allowed through instead of throwing
warnings that flood the nginx error log.
---
 TODO.md                  | 3 +++
 scripts/deploy-server.sh | 6 ++++++
 scripts/setup-server.sh  | 6 ++++++
 src/RateLimit.php        | 8 +++++---
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/TODO.md b/TODO.md
index b6fccea..3a1b5c5 100644
--- a/TODO.md
+++ b/TODO.md
@@ -11,6 +11,9 @@ Pending tasks have been split into topic files under [`todo/`](todo/README.md):
 
 ## Recently completed (this session)
 
+- [x] `RateLimit.php` — silence `mkdir()` with `@`; guard `file_put_contents` with `is_writable()` check so permission errors degrade gracefully (allow request, skip write) instead of spamming nginx error log
+- [x] `scripts/deploy-server.sh` + `scripts/setup-server.sh` — add `mkdir -p storage/cache/rate_limit` + `chown`/`chmod 2775` so php-fpm has write access on fresh deploys
+
 - [x] CSS cleanup — removed dark-mode `@media (prefers-color-scheme: dark)` block from `variables.css`; deleted dead `colors.css` reference file; added all missing semantic tokens to `variables.css` (`--header-*`, `--search-error-*`, `--sys-*` dark-terminal tokens, `--*-muted-bg/border/hover` alpha overlay tokens); replaced every hardcoded hex/rgba in `common.css`, `main.css`, `search.css`, `admin.css`, `system.css` with `var()` references; fixed `--border-color` typo → `--border-primary` in `search.css`; fixed `view-toggle__btn` active color to use `--accent-foreground`; updated `README.md`; admin and public now share identical token set with zero duplication
 
 - [x] `pages-edit.php` — replaced EasyMDE (333 KB: 320 KB JS + 13 KB CSS) with OverType (118 KB, single JS file, no CSS); removed `easymde.min.js` and `easymde.min.css` from `public/assets/`; vendored `overtype.min.js`; replaced `<textarea name="content">` + 60-line EasyMDE toolbar/SVG init block with `<input type="hidden" name="content">` + `<div id="editor">` mount target + 6-line OverType init; `onChange` callback keeps the hidden input in sync for form submission; net saving: ~215 KB, ~54 lines of JS
diff --git a/scripts/deploy-server.sh b/scripts/deploy-server.sh
index 1fcdc09..e3a9fa2 100755
--- a/scripts/deploy-server.sh
+++ b/scripts/deploy-server.sh
@@ -42,6 +42,12 @@ if [ -d "/var/www/posterg/storage" ]; then
     ok "Storage: 2775, databases: 660"
 fi
 
+# Ensure writable cache subdirectories exist for php-fpm (www-data)
+mkdir -p /var/www/posterg/storage/cache/rate_limit
+chown -R www-data:posterg /var/www/posterg/storage/cache
+chmod -R 2775 /var/www/posterg/storage/cache
+ok "Cache dirs: created and owned by www-data:posterg"
+
 # ── Step 2: Nginx config ──────────────────────────────────────────────────────
 printf "\n📋 Step 2: Deploying nginx configuration...\n"
 printf "--------------------------------------------\n"
diff --git a/scripts/setup-server.sh b/scripts/setup-server.sh
index 8ba5d4f..09280d0 100755
--- a/scripts/setup-server.sh
+++ b/scripts/setup-server.sh
@@ -82,6 +82,12 @@ if [ -d "$APP_DIR/storage" ]; then
     ok "Storage: 2775, databases: 660"
 fi
 
+# Ensure writable cache subdirectories exist for php-fpm (www-data)
+mkdir -p "$APP_DIR/storage/cache/rate_limit"
+chown -R "$WEB_USER:$APP_GROUP" "$APP_DIR/storage/cache"
+chmod -R 2775 "$APP_DIR/storage/cache"
+ok "Cache dirs: created and owned by $WEB_USER:$APP_GROUP"
+
 printf "\n"
 ok "Setup complete."
 printf "\nNext steps:\n"
diff --git a/src/RateLimit.php b/src/RateLimit.php
index 0ada49e..2ca847c 100644
--- a/src/RateLimit.php
+++ b/src/RateLimit.php
@@ -22,7 +22,7 @@ class RateLimit {
 
         // Create cache directory if it doesn't exist
         if (!is_dir($this->cacheDir)) {
-            mkdir($this->cacheDir, 0755, true);
+            @mkdir($this->cacheDir, 0755, true);
         }
     }
 
@@ -79,8 +79,10 @@ class RateLimit {
         // Add new request timestamp
         $data[] = $now;
 
-        // Save updated data
-        file_put_contents($file, json_encode($data));
+        // Save updated data (silently skip if directory is not writable)
+        if (is_dir($this->cacheDir) && is_writable($this->cacheDir)) {
+            file_put_contents($file, json_encode($data));
+        }
 
         return true;
     }