[gnome-shell] extensionSystem: Add an explicit approval dialog

From: Jasper St. Pierre <jstpierre src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-shell] extensionSystem: Add an explicit approval dialog
Date: Tue, 13 Sep 2011 21:37:34 +0000 (UTC)
commit 7db92ad5d9e0e9114ed13041b14cdfbdc18e89ce
Author: Jasper St. Pierre <jstpierre mecheye net>
Date:   Mon Sep 12 14:17:09 2011 -0400

    extensionSystem: Add an explicit approval dialog
    
    Pop up a dialog when trying to install an extension so that users are aware
    they are installing one. This is a security precaution in the case that an XSS
    exploit has been found on the website, which could cause someone to inject a
    <script> tag and silently install an extension.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=658612

 js/ui/extensionSystem.js |   90 +++++++++++++++++++++++++++++++++++++++------
 1 files changed, 78 insertions(+), 12 deletions(-)
---
diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
index cc2510f..52ab2ab 100644
--- a/js/ui/extensionSystem.js
+++ b/js/ui/extensionSystem.js
@@ -3,6 +3,7 @@
 const Lang = imports.lang;
 const Signals = imports.signals;
 
+const Clutter = imports.gi.Clutter;
 const GLib = imports.gi.GLib;
 const Gio = imports.gi.Gio;
 const St = imports.gi.St;
@@ -11,6 +12,7 @@ const Soup = imports.gi.Soup;
 
 const Config = imports.misc.config;
 const FileUtils = imports.misc.fileUtils;
+const ModalDialog = imports.ui.modalDialog;
 
 const API_VERSION = 1;
 
@@ -110,24 +112,18 @@ function versionCheck(required, current) {
 }
 
 function installExtensionFromUUID(uuid, version_tag) {
-    let meta = { uuid: uuid,
-                 state: ExtensionState.DOWNLOADING,
-                 error: '' };
-
-    extensionMeta[uuid] = meta;
-
-    _signals.emit('extension-state-changed', meta);
-
-    let params = { version_tag: version_tag,
+    let params = { uuid: uuid,
+                   version_tag: version_tag,
                    shell_version: Config.PACKAGE_VERSION,
                    api_version: API_VERSION.toString() };
 
-    let url = REPOSITORY_URL_DOWNLOAD.format(uuid);
-    let message = Soup.form_request_new_from_hash('GET', url, params);
+    let message = Soup.form_request_new_from_hash('GET', REPOSITORY_URL_INFO, params);
 
     _httpSession.queue_message(message,
                                function(session, message) {
-                                   gotExtensionZipFile(session, message, uuid);
+                                   let info = JSON.parse(message.response_body.data);
+                                   let dialog = new InstallExtensionDialog(uuid, version_tag, info.name);
+                                   dialog.open(global.get_current_time());
                                });
 }
 
@@ -463,3 +459,73 @@ function loadExtensions() {
             _loadExtensionsIn(dir, ExtensionType.SYSTEM);
     }
 }
+
+function InstallExtensionDialog(uuid, version_tag, name) {
+    this._init(uuid, version_tag, name);
+}
+
+InstallExtensionDialog.prototype = {
+    __proto__: ModalDialog.ModalDialog.prototype,
+
+    _init: function(uuid, version_tag, name) {
+        ModalDialog.ModalDialog.prototype._init.call(this, { styleClass: 'extension-dialog' });
+
+        this._uuid = uuid;
+        this._version_tag = version_tag;
+        this._name = name;
+
+        this.setButtons([{ label: _("Cancel"),
+                           action: Lang.bind(this, this._onCancelButtonPressed),
+                           key:    Clutter.Escape
+                         },
+                         { label:  _("Install"),
+                           action: Lang.bind(this, this._onInstallButtonPressed)
+                         }]);
+
+        let message = _("Download and install '%s' from extensions.gnome.org?").format(name);
+
+        this._descriptionLabel = new St.Label({ text: message });
+
+        this.contentLayout.add(this._descriptionLabel,
+                               { y_fill:  true,
+                                 y_align: St.Align.START });
+    },
+
+    _onCancelButtonPressed: function(button, event) {
+        this.close(global.get_current_time());
+
+        // Even though the extension is already "uninstalled", send through
+        // a state-changed signal for any users who want to know if the install
+        // went through correctly -- using proper async DBus would block more
+        // traditional clients like the plugin
+        let meta = { uuid: this._uuid,
+                     state: ExtensionState.UNINSTALLED,
+                     error: '' };
+
+        _signals.emit('extension-state-changed', meta);
+    },
+
+    _onInstallButtonPressed: function(button, event) {
+        let meta = { uuid: this._uuid,
+                     state: ExtensionState.DOWNLOADING,
+                     error: '' };
+
+        extensionMeta[this._uuid] = meta;
+
+        _signals.emit('extension-state-changed', meta);
+
+        let params = { version_tag: this._version_tag,
+                       shell_version: Config.PACKAGE_VERSION,
+                       api_version: API_VERSION.toString() };
+
+        let url = REPOSITORY_URL_DOWNLOAD.format(this._uuid);
+        let message = Soup.form_request_new_from_hash('GET', url, params);
+
+        _httpSession.queue_message(message,
+                                   Lang.bind(this, function(session, message) {
+                                       gotExtensionZipFile(session, message, this._uuid);
+                                   }));
+
+        this.close(global.get_current_time());
+    }
+};
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]