fix(uploads): unconditionally adjust file permissions for sandbox access

The conditional check meant uploaded files retained 0o600 permissions in some Docker sandbox configurations, preventing the sandbox process (UID 1000) from reading them. Always add group/other read bits so every sandbox setup can access uploaded content. Also add read bits to the sync-path writable helper as defense in depth.
2026-05-23 16:35:59 +00:00 · 2026-05-23 16:31:30 +08:00
parent cfd9c61b9a
commit bc8aab0ade
2 changed files with 14 additions and 10 deletions
@@ -236,7 +236,10 @@ def test_upload_files_does_not_adjust_permissions_for_local_sandbox(tmp_path):

    assert result.success is True
    make_writable.assert_not_called()
-    make_readable.assert_not_called()
+    # Readable adjustment is now always applied regardless of sandbox type
+    make_readable.assert_called_once()
+    called_path = make_readable.call_args[0][0]
+    assert called_path.name == "notes.txt"


 def test_upload_files_acquires_non_local_sandbox_before_writing(tmp_path):