Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
RFC: allow 'name' in theme manifest.json
I may well have missed this when the themes stuff was being built, but could we consider name in manifest.json with a view to using it for the directory name when theme uploads land? Right now, according to docs, we have:
titleversiondescriptionauthorauthor_uritxp-type
All perfectly reasonable & sensible. I understand that the archive file name could be used to name the directory, but stating it in a name entry would be beneficial.
Posting here in case I’m missing something.
Offline
Re: RFC: allow 'name' in theme manifest.json
That’s a good idea, as long we unpack everything into a temporary location and read the manifest first and we’re reasonably confident that the name is not malicious (e.g. overwriting another plugin, even inadvertently because the manifest was copied from an old plugin and the author forgot to update it).
Can we make any checks before we assume the name is valid?
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: RFC: allow 'name' in theme manifest.json
Bloke wrote #340438:
(e.g. overwriting another plugin, even inadvertently because the manifest was copied from an old plugin and the author forgot to update it).
I was thinking themes, given they need a directory, but it could be extended to plugins, too.
Offline
Re: RFC: allow 'name' in theme manifest.json
Bloke wrote #340438:
Can we make any checks before we assume the name is valid?
Would a regex check work? Alphanumeric, hyphen, underscore etc.
Offline
Re: RFC: allow 'name' in theme manifest.json
Sorry, my head went straight to plugins, disregarding the word “theme” in the topic title, oops. But yes this applies to both because plugins need a directory too nowadays.
We can filter out nasties in the name to prevent directory traversal attempts. That’s comparatively easy. What’s more tricky is being confident that the name of the plugin or theme is actually the name.
If we’re gonna use the name as the basis of a directory, we don’t want abc_theme.zip containing name: smd_lemon in its manifest and blindly overwriting smd_lemon with the incoming files.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: RFC: allow 'name' in theme manifest.json
Bloke wrote #340441:
If we’re gonna use the name as the basis of a directory, we don’t want abc_theme.zip containing
name: smd_lemonin its manifest and blindly overwriting smd_lemon with the incoming files.
…unless it’s intentionally updating a previous version of an existing theme / plugin. Two considerations: have a confirmation dialog of what’s going to happen, and warn when existing directory exists with an explicit override button.
Offline
Re: RFC: allow 'name' in theme manifest.json
gaekwad wrote #340442:
…unless it’s intentionally updating a previous version of an existing theme / plugin.
Yes. Perhaps if the name matches “close enough” to the zip filename or the prefix names of the .php file (or functions/class names inside it?) that’s included in the archive, we could assume it’s an upgrade and just blitz the destination. Bonus marks for writing code to determine if two names are “near enough”!
Two considerations: have a confirmation dialog of what’s going to happen, and warn when existing directory exists with an explicit override button.
This plays into the hands of future enhancements for both plugin and theme management. At the moment, plugins have the Verify step which shows the contents and what is going to be installed. That’s your confirmation dialog, so to speak. And the install button is the okay to proceed.
So, first port of call is to do the same Verify process for the themes. That was planned but I’ve not got round to it.
Secondly, the additional assets and anything else bundled inside the theme / plugin could have checkboxes alongside to permit assets to be unticked and thus skipped.
Bonus marks here for showing the intended destination directory name and potentially allowing it to be altered, subject to not clashing with an existing directory other than one that is “close enough” (see above).
Last edited by Bloke (2025-09-04 20:41:20)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: RFC: allow 'name' in theme manifest.json
Perfect – looks great. Should I open an issue so we can track it?
Offline
Re: RFC: allow 'name' in theme manifest.json
Sure, that sounds good. Keeps it on our radar.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: RFC: allow 'name' in theme manifest.json
Added to 1950 for tidiness.
Offline