@ -3,7 +3,10 @@ import { ActiveDoc } from 'app/server/lib/ActiveDoc';
import { DocManager } from 'app/server/lib/DocManager' ;
import { DocManager } from 'app/server/lib/DocManager' ;
import { ICreate } from 'app/server/lib/ICreate' ;
import { ICreate } from 'app/server/lib/ICreate' ;
import { LoginSession } from 'app/server/lib/LoginSession' ;
import { LoginSession } from 'app/server/lib/LoginSession' ;
import { NSandbox } from 'app/server/lib/NSandbox' ;
import { NSandboxCreator } from 'app/server/lib/NSandbox' ;
// Use raw python - update when pynbox or other solution is set up for core.
const sandboxCreator = new NSandboxCreator ( 'unsandboxed' ) ;
export const create : ICreate = {
export const create : ICreate = {
LoginSession() {
LoginSession() {
@ -33,30 +36,7 @@ export const create: ICreate = {
return new DocManager ( storageManager , pluginManager , homeDBManager , gristServer ) ;
return new DocManager ( storageManager , pluginManager , homeDBManager , gristServer ) ;
} ,
} ,
NSandbox ( options ) {
NSandbox ( options ) {
const args = [ options . entryPoint || 'grist/main.pyc' ] ;
return sandboxCreator . create ( options ) ;
if ( ! options . entryPoint && options . comment ) {
// Note that docName isn't used by main.py, but it makes it possible to tell in `ps` output
// which sandbox process is for which document.
args . push ( options . comment ) ;
}
const selLdrArgs : string [ ] = [ ] ;
if ( options . sandboxMount ) {
selLdrArgs . push (
// TODO: Only modules that we share with plugins should be mounted. They could be gathered in
// a "$APPROOT/sandbox/plugin" folder, only which get mounted.
'-E' , 'PYTHONPATH=grist:thirdparty' ,
'-m' , ` ${ options . sandboxMount } :/sandbox:ro ` ) ;
}
if ( options . importMount ) {
selLdrArgs . push ( '-m' , ` ${ options . importMount } :/importdir:ro ` ) ;
}
return new NSandbox ( {
args ,
logCalls : options.logCalls ,
logMeta : options.logMeta ,
logTimes : options.logTimes ,
selLdrArgs ,
} ) ;
} ,
} ,
sessionSecret() {
sessionSecret() {
return process . env . GRIST_SESSION_SECRET ||
return process . env . GRIST_SESSION_SECRET ||