Make CMS object code editor read-only in safe mode (#4769)

Adds a dismissable message to the CMS object code editor indicating that the PHP code section of a CMS object cannot be edited when `cms.enableSafeMode` is `true` (or when debugging is disabled if `null`). Credit to @mjauvin.
2019-12-09 08:05:50 -05:00 · 2019-12-09 08:05:50 -05:00 · 864816f7f2
parent 1384a8fc73
commit 864816f7f2
8 changed files with 52 additions and 7 deletions
--- a/modules/cms/classes/CmsCompoundObject.php
+++ b/modules/cms/classes/CmsCompoundObject.php
@ -7,6 +7,7 @@ use Config;
 use Cms\Twig\Loader as TwigLoader;
 use Cms\Twig\Extension as CmsTwigExtension;
 use Cms\Components\ViewBag;
+use Cms\Helpers\Cms as CmsHelpers;
 use System\Twig\Extension as SystemTwigExtension;
 use October\Rain\Halcyon\Processors\SectionParser;
 use Twig\Source as TwigSource;
@ -143,12 +144,7 @@ class CmsCompoundObject extends CmsObject
     */
    protected function checkSafeMode()
    {
-        $safeMode = Config::get('cms.enableSafeMode', null);
-        if ($safeMode === null) {
-            $safeMode = !Config::get('app.debug', false);
-        }
-
-        if ($safeMode && $this->isDirty('code') && strlen(trim($this->code))) {
+        if (CmsHelpers::safeModeEnabled() && $this->isDirty('code') && strlen(trim($this->code))) {
            throw new ApplicationException(Lang::get('cms::lang.cms_object.safe_mode_enabled'));
        }
    }
--- a/modules/cms/classes/layout/fields.yaml
+++ b/modules/cms/classes/layout/fields.yaml
@ -32,6 +32,12 @@ secondaryTabs:
            type: codeeditor
            language: twig

+        safemode_notice:
+            tab: cms::lang.editor.code
+            type: partial
+            hidden: true
+            cssClass: p-b-0
+
        code:
            tab: cms::lang.editor.code
            stretch: true
--- a/modules/cms/classes/page/fields.yaml
+++ b/modules/cms/classes/page/fields.yaml
@ -74,6 +74,12 @@ secondaryTabs:
            type: codeeditor
            language: twig

+        safemode_notice:
+            tab: cms::lang.editor.code
+            type: partial
+            hidden: true
+            cssClass: p-b-0
+
        code:
            tab: cms::lang.editor.code
            stretch: true
--- a/modules/cms/classes/partial/fields.yaml
+++ b/modules/cms/classes/partial/fields.yaml
@ -32,6 +32,12 @@ secondaryTabs:
            type: codeeditor
            language: twig

+        safemode_notice:
+            tab: cms::lang.editor.code
+            type: partial
+            hidden: true
+            cssClass: p-b-0
+
        code:
            tab: cms::lang.editor.code
            stretch: true
--- a/modules/cms/controllers/Index.php
+++ b/modules/cms/controllers/Index.php
@ -4,6 +4,7 @@ use Url;
 use Lang;
 use Flash;
 use Config;
+use Event;
 use Request;
 use Exception;
 use BackendMenu;
@ -20,6 +21,7 @@ use Cms\Classes\CmsObject;
 use Cms\Classes\CmsCompoundObject;
 use Cms\Classes\ComponentManager;
 use Cms\Classes\ComponentPartial;
+use Cms\Helpers\Cms as CmsHelpers;
 use Backend\Classes\Controller;
 use System\Helpers\DateTime;
 use October\Rain\Router\Router as RainRouter;
@ -59,6 +61,19 @@ class Index extends Controller
    {
        parent::__construct();

+        Event::listen('backend.form.extendFieldsBefore', function ($widget) {
+            if (!$widget->getController() instanceof Index) {
+                return;
+            }
+            if (!$widget->model instanceof CmsCompoundObject) {
+                return;
+            }
+            if (key_exists('code', $widget->secondaryTabs['fields']) && CmsHelpers::safeModeEnabled()) {
+                $widget->secondaryTabs['fields']['safemode_notice']['hidden'] = false;
+                $widget->secondaryTabs['fields']['code']['readOnly'] = true;
+            };
+        });
+
        BackendMenu::setContext('October.Cms', 'cms', true);

        try {
--- a/modules/cms/controllers/index/_safemode_notice.htm
+++ b/modules/cms/controllers/index/_safemode_notice.htm
@ -0,0 +1,6 @@
+<div class="callout callout-warning no-subheader">
+    <div class="header" style="border-radius: 0">
+        <i class="icon-warning"></i>
+        <h3><?= e(trans('cms::lang.cms_object.safe_mode_enabled')) ?></h3>
+    </div>
+</div>
--- a/modules/cms/helpers/Cms.php
+++ b/modules/cms/helpers/Cms.php
@ -2,6 +2,7 @@

 use Url;
 use Route;
+use Config;

 /**
 * CMS Helper
@ -35,4 +36,13 @@ class Cms

        return Url::to($path);
    }
+
+    public static function safeModeEnabled()
+    {
+        $safeMode = Config::get('cms.enableSafeMode', null);
+        if ($safeMode === null) {
+            $safeMode = !Config::get('app.debug', false);
+        }
+        return $safeMode;
+    }
 }
--- a/modules/cms/lang/en/lang.php
+++ b/modules/cms/lang/en/lang.php
@ -11,7 +11,7 @@ return [
        'error_deleting' => "Error deleting the template file ':name'. Please check write permissions.",
        'delete_success' => 'Templates deleted: :count.',
        'file_name_required' => 'The File Name field is required.',
-        'safe_mode_enabled' => 'Safe mode is currently enabled.'
+        'safe_mode_enabled' => 'Safe mode is currently enabled. Editing the PHP code of CMS templates is disabled.'
    ],
    'dashboard' => [
        'active_theme' => [