FIX: allowed_theme_ids should not be persisted in GlobalSettings (#14756)

* FIX: allowed_theme_ids should not be persisted in GlobalSettings It was observed that the memoized value of `GlobalSetting.allowed_theme_ids` would be persisted across requests, which could lead to unpredictable/undesired behaviours in a multisite environment. This change moves that logic out of GlobalSettings so that the returned theme IDs are correct for the current site. Uses get_set_cache, which ultimately uses DistributedCache, which will take care of multisite issues for us.
2025-02-25 18:55:32 -06:00 · 2021-10-29 11:46:52 -04:00
parent 724f1ee9d1
commit cfc62dbace
6 changed files with 21 additions and 39 deletions
--- a/spec/requests/admin/themes_controller_spec.rb
+++ b/spec/requests/admin/themes_controller_spec.rb
@@ -102,26 +102,23 @@ describe Admin::ThemesController do

    context 'when theme allowlist mode is enabled' do
      before do
-        GlobalSetting.reset_allowed_theme_ids!
-        global_setting :allowed_theme_repos, "https://github.com/discourse/discourse-brand-header"
-      end
-
-      after do
-        GlobalSetting.reset_allowed_theme_ids!
+        global_setting :allowed_theme_repos, "https://github.com/discourse/discourse-brand-header.git"
      end

      it "allows allowlisted imports" do
-        RemoteTheme.stubs(:import_theme)
+        expect(Theme.allowed_remote_theme_ids.length).to eq(0)
+
        post "/admin/themes/import.json", params: {
-          remote: '    https://github.com/discourse/discourse-brand-header       '
+          remote: '    https://github.com/discourse/discourse-brand-header.git       '
        }

+        expect(Theme.allowed_remote_theme_ids.length).to eq(1)
        expect(response.status).to eq(201)
      end

      it "prevents adding disallowed themes" do
        RemoteTheme.stubs(:import_theme)
-        remote = '    https://bad.com/discourse/discourse-brand-header       '
+        remote = '    https://bad.com/discourse/discourse-brand-header.git       '

        post "/admin/themes/import.json", params: { remote: remote }

@@ -138,7 +135,7 @@ describe Admin::ThemesController do
    it 'can import a theme from Git' do
      RemoteTheme.stubs(:import_theme)
      post "/admin/themes/import.json", params: {
-        remote: '    https://github.com/discourse/discourse-brand-header       '
+        remote: '    https://github.com/discourse/discourse-brand-header.git       '
      }

      expect(response.status).to eq(201)
@@ -311,14 +308,9 @@ describe Admin::ThemesController do

    context 'when theme allowlist mode is enabled' do
      before do
-        GlobalSetting.reset_allowed_theme_ids!
        global_setting :allowed_theme_repos, "  https://magic.com/repo.git, https://x.com/git"
      end

-      after do
-        GlobalSetting.reset_allowed_theme_ids!
-      end
-
      it 'unconditionally bans theme_fields from updating' do
        r = RemoteTheme.create!(remote_url: "https://magic.com/repo.git")
        theme.update!(remote_theme_id: r.id)