diff --git a/apps/dashboard/config/application.rb b/apps/dashboard/config/application.rb index a85f4d70d..ae2079cac 100644 --- a/apps/dashboard/config/application.rb +++ b/apps/dashboard/config/application.rb @@ -52,6 +52,8 @@ class Application < Rails::Application if plugins_dir.directory? plugins_dir.children.select(&:directory?).each do |installed_plugin| next unless installed_plugin.readable? + # Ignore plugins not installed by admins - plugin directory should be owned by root + next if ::Configuration.rails_env_production? && !File.stat(installed_plugin.to_s).uid.zero? config.paths["config/initializers"] << installed_plugin.join("initializers").to_s config.autoload_paths << installed_plugin.join("lib").to_s diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb index f21656c71..23f27a404 100644 --- a/apps/dashboard/config/configuration_singleton.rb +++ b/apps/dashboard/config/configuration_singleton.rb @@ -428,6 +428,10 @@ def connect_sources sources end + def rails_env_production? + rails_env == 'production' + end + private def can_access_core_app?(name) diff --git a/apps/dashboard/test/config/configuration_singleton_test.rb b/apps/dashboard/test/config/configuration_singleton_test.rb index 6ec5f3d4e..7ef68fe8f 100644 --- a/apps/dashboard/test/config/configuration_singleton_test.rb +++ b/apps/dashboard/test/config/configuration_singleton_test.rb @@ -535,4 +535,20 @@ def no_config_env assert_equal(30_000, ConfigurationSingleton.new.bc_sessions_poll_delay) end end + + test "rails_env_production? should return true if production environment" do + with_modified_env(RAILS_ENV: 'production') do + assert ConfigurationSingleton.new.rails_env_production? + end + end + + test "rails_env_production? should return false if development or test environment" do + with_modified_env(RAILS_ENV: 'development') do + refute ConfigurationSingleton.new.rails_env_production? + end + + with_modified_env(RAILS_ENV: 'test') do + refute ConfigurationSingleton.new.rails_env_production? + end + end end