[stable12] CSSResourceLocator: handle SCSS in apps outside root

[kyrofa]

Currently static CSS files work fine in apps outside of the root. However, as soon as an app uses SCSS, Nextcloud starts being unable to find the web root.

This PR fixes #5289 by backporting select snippets from master specifically targeting this issue (note that master does not have this issue), and adding a test to ensure it doesn't regress.

[codecov]

Codecov Report

Merging #7257 into stable12 will increase coverage by 0.06%.
The diff coverage is 71.05%.

@@              Coverage Diff               @@
##             stable12    #7257      +/-   ##
==============================================
+ Coverage       53.79%   53.86%   +0.06%     
- Complexity      22590    22594       +4     
==============================================
  Files            1384     1384              
  Lines           86666    86667       +1     
  Branches         1329     1329              
==============================================
+ Hits            46620    46681      +61     
+ Misses          40046    39986      -60

Impacted Files	Coverage Δ	Complexity Δ
lib/private/Template/ResourceLocator.php	77.41% <64%> (+10.75%)	25 <7> (+5)	⬆️
lib/private/Template/CSSResourceLocator.php	72.13% <84.61%> (+72.13%)	26 <0> (-1)	⬇️
core/js/js.js	61.83% <0%> (+0.55%)	0% <0%> (ø)	⬇️

[kyrofa]

(The failed test does not seem related.)

[MorrisJobke]

@rullzer @nickvergessen @LukasReschke @karlitschek Opinions on getting this into 12.0.4 and building an RC2?

[karlitschek]

I can't judge the importance and the risk. Your call @MorrisJobke :-)

[nickvergessen]

Well if we don't do this, apps should not be allowed to use SCSS at all, because the app dev can not know where their app is installed to.

And I think it looks easy enough, so if it works why not.

[skjnldsv]

@kyrofa We definitely should put an advertisement if the scss file is unreachable though. Because without alias for apache or root change for nginx, the webserver can't serve a file outside of its allowed declared roots. It could lead to confusion for the user.

[shtrom]

This PR fixed the issues in two apps with 12.0.0. Cheers! 👍

[MorrisJobke]

Failing test is unrelated

[nickvergessen]

Doesn't seem to work here:
I have my nextcloud in: nextcloud12r.local/server
Contacts app in: nextcloud12r.local/noapps/contacts

And the path to the css is generated as nextcloud12r.local/index.php/css/contacts/....

The problem is that findWebRoot returns null.

Or which paths were we trying to fix here?

[skjnldsv]

@nickvergessen path outside your default root :)
The css path you provided seems good to me since the scss are located within the data folder.

[kyrofa]

@kyrofa We definitely should put an advertisement if the scss file is unreachable though. Because without alias for apache or root change for nginx, the webserver can't serve a file outside of its allowed declared roots. It could lead to confusion for the user.

@skjnldsv I'm not quite clear on what you're saying here. The SCSS file isn't served up by Apache or Nginx, it's compiled and then cached into the data dir as CSS, then served by Nextcloud itself (which is why paths look like domain/index.php/css/...). Do you mean you'd like to see a warning here? That line is currently hit for CSS files (i.e. we check for SCSS first), so we'd need to rewrite this a bit more. Can you think of a way to do what you want without changing the logic here?

[skjnldsv]

@kyrofa, well, without alias this wont' work. Nginx have to serve the correct files. This is not only related to scss. :)

[kyrofa]

@skjnldsv unless I misunderstand something (always possible!), SCSS files should work fine without an alias, it's CSS files (and other static assets in the app) that won't. Here are a few URLs in the head using the Calendar app (which uses static CSS):

<link rel="icon" href="/extra-apps/calendar/img/favicon.ico">
<link rel="apple-touch-icon-precomposed" href="/extra-apps/calendar/img/favicon-touch.png">
<!-- ... -->
<link rel="stylesheet" href="/extra-apps/calendar/css/public/vendor.min.css?v=1135315055fd35753215151fd0fb3652-0">

All of those require an alias. However, take a look at a CSS URL for SCSS (using the Contacts app):

<link rel="stylesheet" href="/index.php/css/contacts/c5a4464a656e8aa73f8111e50f6b8d5b-style.css?v=1135315055fd35753215151fd0fb3652-0">

Note how compiled SCSS, being in the data dir, is not served as a static asset using the webserver, but as a dynamic one using PHP. This particular case, as far as I can see, does not involve the alias. That's not to say it's not important, of course, or all the other stuff would break 😛 .

[skjnldsv]

Okay, I mixed up two different issues. This one is only about the scss fetch from the scss lib. :)

Note how compiled SCSS, being in the data dir, is not served as a static asset using the webserver, but as a dynamic one using PHP.

@kyrofa I built the scss integration in nextcloud! ;)

[kyrofa]

@kyrofa I built the scss integration in nextcloud! ;)

No offense intended my friend! I simply wasn't sure what you were talking about, so I tried to be as explicit as possible 😃 .

[kyrofa]

To clarify, does this look okay, then?

[shtrom]

Though it works for me, I'm wondering whether it wouldn't make more sense to proxy any asset through the standard /app/BLAH URI, maybe doing something like nginx's try_files, looking for an asset file to serve and defaulting to routing to controllers.

This would avoid having to rewrite URLs or fiddle with the server's configuration.

[kyrofa]

That's well beyond what master does today. I suspect that's probably not suitable for a backport.

[rullzer]

Seems to do the trick for me

[tYYGH]

Thank you! This will improve my self-hosted Nextcloud a lot!

@shtrom Do not forget the case when Nginx does not have access to the files: try_files is useless in such situations.
In my case, Nginx is in the DMZ and has no access to any personal data. uwsgi is actually hosting Nextcloud, on the backend server (obviously with access to the data).

[shtrom]

On Mon 27 Nov 2017 at 10:53:01 +0000, tYYGH wrote: @shtrom Do not forget the case when Nginx does not have access to the files: `try_files` is useless in such situations.

Oh, yeah, I was just taking it as an example of behaviour, but it would need to be reimplemented in a server-agnostic way.

…

-- Olivier Mehani <shtrom@ssji.net> PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted.

[mfr-itr]

Do you have an ETA for the release or should I apply the patch manually?

[MorrisJobke]

Do you have an ETA for the release or should I apply the patch manually?

Thursday is the planned one.

[mfr-itr]

Nice!