Possibility to include partials outside of the theme

[alekseyp]

I'm currently running an older version that allows including files outside of the theme, but going over newer commits I see that it was patched as a security bug that stops you from going outside your theme to find files.

Usually I would have one theme that is common and than all my other themes would load partials from it
Which could include forms, content, or simple html elements that are exactly the same on ~20 websites.

Out of all partials, I only have one that has php in it via onStart().

To test it, you can create new empty theme and try to load a partial from a demo theme

{% partial '../../demo/partials/calcresult' %}

I have also tried using ~/themes/, etc

I do understand security concern, but would be good if there was a way to disable it for the whole project.

One of the "workaround" I had in mind is to create a relative symlink in each theme, but was curious if there a better way to do it.

[arvislacis]

If you are using almost the same elements for ~20 websites then maybe it's better to group them under your own plugin which could have it's own partials and components..., then maybe also the maintenance process could be easier for you, for example, you make changes in plugin file and then could deliver changes to all websites via plugin update. But that's just an idea...

[bennothommo]

@arvislacis is correct - the best form of re-usability is through plugins. We want to encourage safe theme editing and security so I feel it best that we don't have a way to disable the sandboxing of themes when there's readily available functionality better suited to your use case.

[LukeTowers]

@bennothommo I asked for this issue to be opened, there were some ideas for this that I wanted to try but Sam was never interested in.

[bennothommo]

@LukeTowers ah fair enough. What were the ideas?

[LukeTowers]

Mostly centred around using path resolving to ensures that the files existed in the themes directory, could also have it locked behind a config option like restrictBaseDir

[tschallacka]

How about an dependency model. When a theme lists other themes as a dependency, it can read from those theme dirs, but gains no access to other themes.

That way you keep sandboxing, whilst still hemming the possible scans of installed materials.

[mjauvin]

@tschallacka what difference does it make if the theme can list any theme as a dependency?

[tschallacka]

@mjauvin Nobody would download a theme that's dependent on all the other themes, I would hope.. And this way you can sandbox, whilst still giving some flexibility.

[bennothommo]

I'm happy with a theme being able to access its own files and any files that it is dependent on (similar to a child theme), and that's it. I wouldn't want a theme to access files in another theme that has no bearing on it, nor access any files outside of the themes directory.