winter icon indicating copy to clipboard operation
winter copied to clipboard

Published 20 hours ago verified publisher icon wintercms

Possibility to include partials outside of the theme

Open alekseyp opened this issue 3 years ago • 18 comments

I'm currently running an older version that allows including files outside of the theme, but going over newer commits I see that it was patched as a security bug that stops you from going outside your theme to find files.

Usually I would have one theme that is common and than all my other themes would load partials from it Which could include forms, content, or simple html elements that are exactly the same on ~20 websites.

Out of all partials, I only have one that has php in it via onStart().

To test it, you can create new empty theme and try to load a partial from a demo theme

{% partial '../../demo/partials/calcresult' %}

I have also tried using ~/themes/, etc

I do understand security concern, but would be good if there was a way to disable it for the whole project.

One of the "workaround" I had in mind is to create a relative symlink in each theme, but was curious if there a better way to do it.

alekseyp avatar May 06 '21 04:05 alekseyp

If you are using almost the same elements for ~20 websites then maybe it's better to group them under your own plugin which could have it's own partials and components..., then maybe also the maintenance process could be easier for you, for example, you make changes in plugin file and then could deliver changes to all websites via plugin update. But that's just an idea...

arvislacis avatar May 06 '21 06:05 arvislacis

@arvislacis is correct - the best form of re-usability is through plugins. We want to encourage safe theme editing and security so I feel it best that we don't have a way to disable the sandboxing of themes when there's readily available functionality better suited to your use case.

bennothommo avatar May 06 '21 07:05 bennothommo

@bennothommo I asked for this issue to be opened, there were some ideas for this that I wanted to try but Sam was never interested in.

LukeTowers avatar May 06 '21 12:05 LukeTowers

@LukeTowers ah fair enough. What were the ideas?

bennothommo avatar May 06 '21 13:05 bennothommo

Mostly centred around using path resolving to ensures that the files existed in the themes directory, could also have it locked behind a config option like restrictBaseDir

LukeTowers avatar May 06 '21 13:05 LukeTowers

How about an dependency model. When a theme lists other themes as a dependency, it can read from those theme dirs, but gains no access to other themes.

That way you keep sandboxing, whilst still hemming the possible scans of installed materials.

tschallacka avatar May 06 '21 22:05 tschallacka

@tschallacka what difference does it make if the theme can list any theme as a dependency?

mjauvin avatar May 07 '21 12:05 mjauvin

@mjauvin Nobody would download a theme that's dependent on all the other themes, I would hope.. And this way you can sandbox, whilst still giving some flexibility.

tschallacka avatar May 08 '21 20:05 tschallacka

I'm happy with a theme being able to access its own files and any files that it is dependent on (similar to a child theme), and that's it. I wouldn't want a theme to access files in another theme that has no bearing on it, nor access any files outside of the themes directory.

bennothommo avatar May 10 '21 02:05 bennothommo

As another security precaution, maybe we can add a flag to a theme that makes it "extendable"?

So only themes with that flag can we included by other themes?

alekseyp avatar May 10 '21 06:05 alekseyp

@alekseyp i would rather go with a "final" flag, that the default is extendable, in the spirit of open source projects building on top of eachother.

tschallacka avatar May 10 '21 06:05 tschallacka

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar Jul 10 '21 00:07 github-actions[bot]

Laravel community and his leader dislike the final keyword and what it does. Réf https://twitter.com/taylorotwell/status/1237053249703854080?s=20

I'm not sure how this protection should be handled and if it should be. My thought on that would be to keep this features as a child-theme-like, allowing to extend a theme from one and only one other theme to keep it simple and to not allow to create a chain of dependency in the Winter's themes. Doing that way we don't need this protection because a theme can not access any other theme's files, we keep the control on that.

@arvislacis in your use case all the 20 websites "extend" the same theme? If not could you give an example of why you needed to create two levels or extension?

RomainMazB avatar Jul 18 '21 06:07 RomainMazB

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar Sep 17 '21 00:09 github-actions[bot]

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar Nov 17 '21 00:11 github-actions[bot]

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar Jan 17 '22 00:01 github-actions[bot]

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar Mar 19 '22 00:03 github-actions[bot]

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] avatar May 20 '22 00:05 github-actions[bot]

This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at [email protected].

github-actions[bot] avatar Nov 22 '22 00:11 github-actions[bot]