From 58d998e20826a9d7b319b9677c91391240e22297 Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Tue, 11 Oct 2016 09:36:20 +0100
Subject: [PATCH] postinstall: allow write access to cellars in repository.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If HOMEBREW_CELLAR (or HOMEBREW_PREFIX) are children of
HOMEBREW_REPOSITORY it’s important to deny write to the repository and
enable write to the Cellar/prefix afterwards.
---
 Library/Homebrew/cmd/postinstall.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 1e205e65de..e8855b09e5 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -35,10 +35,10 @@ module Homebrew
         sandbox.record_log(formula.logs/"postinstall.sandbox.log")
         sandbox.allow_write_temp_and_cache
         sandbox.allow_write_log(formula)
-        sandbox.allow_write_cellar(formula)
         sandbox.allow_write_xcode
-        sandbox.allow_write_path HOMEBREW_PREFIX
         sandbox.deny_write_homebrew_repository
+        sandbox.allow_write_path HOMEBREW_PREFIX
+        sandbox.allow_write_cellar(formula)
         sandbox.exec(*args)
       else
         exec(*args)