IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Disallow editing of remote themes (#11189)

Browse Source 
Allowing the editing of remote themes has been something Discourse has advised against for some time. This commit removes the ability to edit or upload files to remote themes from Admin > Customize to enforce the recommended practice.
This commit is contained in:
Justin DiRose
2020-11-13 09:57:49 -06:00
committed by GitHub
parent dc005c593e
commit 65e123498b
4 changed files with 65 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/admin/themes_controller.rb
View File

@@ -299,6 +299,10 @@ class Admin::ThemesController < Admin::AdminController
raise Discourse::InvalidAccess if !GlobalSetting.allowed_theme_ids.nil?
end
def ban_for_remote_theme!
raise Discourse::InvalidAccess if @theme.remote_theme
end
def add_relative_themes!(kind, ids)
expected = ids.map(&:to_i)
@@ -357,6 +361,7 @@ class Admin::ThemesController < Admin::AdminController
return unless fields = theme_params[:theme_fields]
ban_in_allowlist_mode!
ban_for_remote_theme!
fields.each do |field|
@theme.set_field(