FEATURE: support uploads for themes

This allows themes to bundle various assets
2025-02-25 18:55:32 -06:00 · 2017-05-09 17:20:28 -04:00
parent f709899a1d
commit bc0b9af576
25 changed files with 368 additions and 51 deletions
--- a/lib/git_importer.rb
+++ b/lib/git_importer.rb
@@ -35,15 +35,24 @@ class GitImporter
    FileUtils.rm_rf(@temp_folder)
  end

-  def [](value)
-    fullpath = "#{@temp_folder}/#{value}"
+  def real_path(relative)
+    fullpath = "#{@temp_folder}/#{relative}"
    return nil unless File.exist?(fullpath)

    # careful to handle symlinks here, don't want to expose random data
    fullpath = Pathname.new(fullpath).realpath.to_s
+
    if fullpath && fullpath.start_with?(@temp_folder)
-      File.read(fullpath)
+      fullpath
+    else
+      nil
    end
  end

+  def [](value)
+    fullpath = real_path(value)
+    return nil unless fullpath
+    File.read(fullpath)
+  end
+
 end
--- a/lib/stylesheet/compiler.rb
+++ b/lib/stylesheet/compiler.rb
@@ -40,6 +40,7 @@ module Stylesheet
                                 source_map_file: source_map_file,
                                 source_map_contents: true,
                                 theme_id: options[:theme_id],
+                                 theme: options[:theme],
                                 theme_field: options[:theme_field],
                                 load_paths: [ASSET_ROOT])

--- a/lib/stylesheet/importer.rb
+++ b/lib/stylesheet/importer.rb
@@ -41,7 +41,9 @@ module Stylesheet
      colors.each do |n, hex|
        contents << "$#{n}: ##{hex} !default;\n"
      end
-      theme&.theme_fields&.where(type_id: ThemeField.theme_var_type_ids)&.each do |field|
+      theme&.theme_fields&.each do |field|
+        next unless ThemeField.theme_var_type_ids.include?(field.type_id)
+
        if field.type_id == ThemeField.types[:theme_upload_var]
          if upload = field.upload
            url = upload_cdn_path(upload.url)
@@ -84,8 +86,13 @@ module Stylesheet
    end

    def initialize(options)
+      @theme = options[:theme]
      @theme_id = options[:theme_id]
      @theme_field = options[:theme_field]
+      if @theme && !@theme_id
+        # make up an id so other stuff does not bail out
+        @theme_id = @theme.id || -1
+      end
    end

    def import_files(files)
--- a/lib/validators/upload_validator.rb
+++ b/lib/validators/upload_validator.rb
@@ -24,11 +24,11 @@ class Validators::UploadValidator < ActiveModel::Validator
  end

  def is_authorized?(upload, extension)
-    authorized_extensions(upload, extension, authorized_uploads)
+    authorized_extensions(upload, extension, authorized_uploads(upload))
  end

  def authorized_image_extension(upload, extension)
-    authorized_extensions(upload, extension, authorized_images)
+    authorized_extensions(upload, extension, authorized_images(upload))
  end

  def maximum_image_file_size(upload)
@@ -36,7 +36,7 @@ class Validators::UploadValidator < ActiveModel::Validator
  end

  def authorized_attachment_extension(upload, extension)
-    authorized_extensions(upload, extension, authorized_attachments)
+    authorized_extensions(upload, extension, authorized_attachments(upload))
  end

  def maximum_attachment_file_size(upload)
@@ -45,10 +45,12 @@ class Validators::UploadValidator < ActiveModel::Validator

  private

-  def authorized_uploads
+  def authorized_uploads(upload)
    authorized_uploads = Set.new

-    SiteSetting.authorized_extensions
+    extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions
+
+    extensions
      .gsub(/[\s\.]+/, "")
      .downcase
      .split("|")
@@ -57,20 +59,21 @@ class Validators::UploadValidator < ActiveModel::Validator
    authorized_uploads
  end

-  def authorized_images
-    authorized_uploads & FileHelper.images
+  def authorized_images(upload)
+    authorized_uploads(upload) & FileHelper.images
  end

-  def authorized_attachments
-    authorized_uploads - FileHelper.images
+  def authorized_attachments(upload)
+    authorized_uploads(upload) - FileHelper.images
  end

-  def authorizes_all_extensions?
-    SiteSetting.authorized_extensions.include?("*")
+  def authorizes_all_extensions?(upload)
+    extensions = upload.for_theme ? SiteSetting.theme_authorized_extensions : SiteSetting.authorized_extensions
+    extensions.include?("*")
  end

  def authorized_extensions(upload, extension, extensions)
-    return true if authorizes_all_extensions?
+    return true if authorizes_all_extensions?(upload)

    unless authorized = extensions.include?(extension.downcase)
      message = I18n.t("upload.unauthorized", authorized_extensions: extensions.to_a.join(", "))