mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Serving widget info page from home url
Summary: Custom widget into page is served from a homeUrl instead of untrusted URL, which might be not used in grist-core. Test Plan: manual test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3307
This commit is contained in:
parent
d2b82b84c7
commit
351d70d4fb
@ -15,12 +15,13 @@ import {CustomViewSectionDef} from 'app/client/models/entities/ViewSectionRec';
|
|||||||
import {UserError} from 'app/client/models/errors';
|
import {UserError} from 'app/client/models/errors';
|
||||||
import {SortedRowSet} from 'app/client/models/rowset';
|
import {SortedRowSet} from 'app/client/models/rowset';
|
||||||
import {PluginInstance} from 'app/common/PluginInstance';
|
import {PluginInstance} from 'app/common/PluginInstance';
|
||||||
|
import {AccessLevel} from 'app/common/CustomWidget';
|
||||||
|
import {closeRegisteredMenu} from 'app/client/ui2018/menus';
|
||||||
|
import {getGristConfig} from 'app/common/urlUtils';
|
||||||
import {Events as BackboneEvents} from 'backbone';
|
import {Events as BackboneEvents} from 'backbone';
|
||||||
import {dom as grains} from 'grainjs';
|
import {dom as grains} from 'grainjs';
|
||||||
import * as ko from 'knockout';
|
import * as ko from 'knockout';
|
||||||
import defaults = require('lodash/defaults');
|
import defaults = require('lodash/defaults');
|
||||||
import {AccessLevel} from 'app/common/CustomWidget';
|
|
||||||
import {closeRegisteredMenu} from 'app/client/ui2018/menus';
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* CustomView components displays arbitrary html. There are two modes available, in the "url" mode
|
* CustomView components displays arbitrary html. There are two modes available, in the "url" mode
|
||||||
@ -76,7 +77,7 @@ export class CustomView extends Disposable {
|
|||||||
|
|
||||||
this._customDef = this.viewSection.customDef;
|
this._customDef = this.viewSection.customDef;
|
||||||
|
|
||||||
this._emptyWidgetPage = new URL("custom-widget.html", gristDoc.app.topAppModel.getUntrustedContentOrigin()).href;
|
this._emptyWidgetPage = new URL("custom-widget.html", getGristConfig().homeUrl!).href;
|
||||||
|
|
||||||
this.autoDisposeCallback(() => {
|
this.autoDisposeCallback(() => {
|
||||||
if (this._customSection) {
|
if (this._customSection) {
|
||||||
|
@ -450,6 +450,9 @@ export class FlexServer implements GristServer {
|
|||||||
// Plugins get access to static resources without a tag
|
// Plugins get access to static resources without a tag
|
||||||
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'static'))));
|
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'static'))));
|
||||||
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'bower_components'))));
|
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'bower_components'))));
|
||||||
|
// Serve custom-widget.html message for anyone.
|
||||||
|
this.app.use(/^\/(custom-widget.html)$/, expressWrap(async (req, res) =>
|
||||||
|
res.sendFile(req.params[0], {root: getAppPathTo(this.appRoot, 'static')})));
|
||||||
this.addOrg();
|
this.addOrg();
|
||||||
addPluginEndpoints(this, await this._addPluginManager());
|
addPluginEndpoints(this, await this._addPluginManager());
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user