FIX: avoid ProseMirror handling paste when unauthorized (#35640) (#35659)

branquinhoaa · renato · web-flow · commit f179d330551d · 2025-10-28T13:24:51.000-03:00
Backporting change merged in [this commit ](#35640 stable branch --------- Co-authored-by: Renato Atilio <renato@discourse.org>
diff --git a/app/assets/javascripts/discourse/app/static/prosemirror/components/prosemirror-editor.gjs b/app/assets/javascripts/discourse/app/static/prosemirror/components/prosemirror-editor.gjs
@@ -24,6 +24,7 @@ import * as ProsemirrorView from "prosemirror-view";
 import { EditorView } from "prosemirror-view";
 import { getExtensions } from "discourse/lib/composer/rich-editor-extensions";
 import { bind } from "discourse/lib/decorators";
+import { authorizesOneOrMoreExtensions } from "../../../lib/uploads";
 import { buildInputRules } from "../core/inputrules";
 import { buildKeymap } from "../core/keymap";
 import Parser from "../core/parser";
@@ -74,6 +75,7 @@ export default class ProsemirrorEditor extends Component {
   @service site;
   @service siteSettings;
   @service appEvents;
+  @service currentUser;
 
   schema = createSchema(this.extensions, this.args.includeDefault);
   view;
@@ -213,6 +215,28 @@ export default class ProsemirrorEditor extends Component {
           next(() => this.args.focusOut?.());
           return false;
         },
+        paste: (view, event) => {
+          // When !authorizesOneOrMoreExtensions, we don't ComposerUpload#setup,
+          // which is originally responsible for preventDefault.
+          if (
+            event.clipboardData.files &&
+            !authorizesOneOrMoreExtensions(
+              this.currentUser.staff,
+              this.siteSettings
+            )
+          ) {
+            event.preventDefault();
+          }
+        },
+        drop: (view, event) => {
+          if (
+            [...event.dataTransfer.items].some((item) => item.kind === "file")
+          ) {
+            // Skip processing the drop event (e.g. Safari cross-window content drag),
+            // Uppy's DropTarget should handle that instead.
+            return true;
+          }
+        },
       },
       handleKeyDown: (view, event) => {
         // suppress if Enter/Tab and the autocomplete is open
diff --git a/spec/system/composer/prosemirror_editor_spec.rb b/spec/system/composer/prosemirror_editor_spec.rb
@@ -795,6 +795,29 @@ def body(title)
       expect(composer).to have_value("![image|244x66](upload://hGLky57lMjXvqCWRhcsH31ShzmO.png)")
     end
 
+    it "avoids triggering upload when unauthorized" do
+      SiteSetting.authorized_extensions = ""
+
+      valid_png_data_uri =
+        "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg=="
+
+      cdp.allow_clipboard
+
+      open_composer
+
+      html = <<~HTML
+          <img src="#{valid_png_data_uri}" alt="img1" width="100" height="100">
+        HTML
+
+      cdp.copy_paste(html, html: true)
+
+      expect(rich).to have_no_css("img")
+
+      composer.toggle_rich_editor
+
+      expect(composer).to have_value("")
+    end
+
     it "merges text with link marks created from parsing" do
       cdp.allow_clipboard
       open_composer
