From b372953671290608e31d093a6516fae4c4f71103 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sun, 2 Jul 2023 02:06:24 -0400
Subject: [PATCH] Backport pull request #4654 from jellyfin/release-10.8.z

Add confirmation for 3rd party repos

Original-merge: 331fa87216904dcc853a1112ee6c774d89765ed2

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Bill Thornton <thornbill@users.noreply.github.com>
---
 .../dashboard/plugins/add/index.html          |  4 +-
 .../dashboard/plugins/add/index.js            | 16 +++++++-
 .../dashboard/plugins/repositories/index.js   | 37 +++++++++++++++----
 src/strings/en-us.json                        |  9 ++++-
 4 files changed, 54 insertions(+), 12 deletions(-)

diff --git a/src/controllers/dashboard/plugins/add/index.html b/src/controllers/dashboard/plugins/add/index.html
index 7f83304609..2be40c6206 100644
--- a/src/controllers/dashboard/plugins/add/index.html
+++ b/src/controllers/dashboard/plugins/add/index.html
@@ -34,7 +34,9 @@
             <div class="readOnlyContent">
                 <div is="emby-collapse" title="${HeaderDeveloperInfo}">
                     <div class="collapseContent">
-                        <p id="developer"></p>
+                        <p>${LabelDeveloper}: <span id="developer"></span></p>
+                        <p>${LabelRepositoryName}: <span id="repositoryName"></span></p>
+                        <p>${LabelRepositoryUrl}: <span id="repositoryUrl"></span></p>
                     </div>
                 </div>
 
diff --git a/src/controllers/dashboard/plugins/add/index.js b/src/controllers/dashboard/plugins/add/index.js
index 62ae70ab4f..ca19d3f4d9 100644
--- a/src/controllers/dashboard/plugins/add/index.js
+++ b/src/controllers/dashboard/plugins/add/index.js
@@ -64,6 +64,16 @@ function renderPackage(pkg, installedPlugins, page) {
 
     $('#description', page).text(pkg.description);
     $('#developer', page).text(pkg.owner);
+    // This is a hack; the repository name and URL should be part of the global values
+    // for the plugin, not each individual version. So we just use the top (latest)
+    // version to get this information. If it's missing (no versions), then say so.
+    if (pkg.versions.length) {
+        $('#repositoryName', page).text(pkg.versions[0].repositoryName);
+        $('#repositoryUrl', page).text(pkg.versions[0].repositoryUrl);
+    } else {
+        $('#repositoryName', page).text(globalize.translate('Unknown'));
+        $('#repositoryUrl', page).text(globalize.translate('Unknown'));
+    }
 
     if (installedPlugin) {
         const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>');
@@ -80,7 +90,7 @@ function alertText(options) {
 }
 
 function performInstallation(page, name, guid, version) {
-    const developer = $('#developer', page).html().toLowerCase();
+    const repositoryUrl = $('#repositoryUrl', page).html().toLowerCase();
 
     const alertCallback = function () {
         loading.show();
@@ -93,7 +103,9 @@ function performInstallation(page, name, guid, version) {
         });
     };
 
-    if (developer !== 'jellyfin') {
+    // Check the repository URL for the official Jellyfin repository domain, or
+    // present the warning for 3rd party plugins.
+    if (!repositoryUrl.startsWith('https://repo.jellyfin.org/')) {
         loading.hide();
         let msg = globalize.translate('MessagePluginInstallDisclaimer');
         msg += '<br/>';
diff --git a/src/controllers/dashboard/plugins/repositories/index.js b/src/controllers/dashboard/plugins/repositories/index.js
index 14ceff290c..3c83b6e394 100644
--- a/src/controllers/dashboard/plugins/repositories/index.js
+++ b/src/controllers/dashboard/plugins/repositories/index.js
@@ -2,6 +2,7 @@ import loading from '../../../../components/loading/loading';
 import libraryMenu from '../../../../scripts/libraryMenu';
 import globalize from '../../../../scripts/globalize';
 import dialogHelper from '../../../../components/dialogHelper/dialogHelper';
+import confirm from '../../../../components/confirm/confirm';
 
 import '../../../../elements/emby-button/emby-button';
 import '../../../../elements/emby-checkbox/emby-checkbox';
@@ -166,14 +167,36 @@ export default function(view) {
         dialog.querySelector('.newPluginForm').addEventListener('submit', e => {
             e.preventDefault();
 
-            repositories.push({
-                Name: dialog.querySelector('#txtRepositoryName').value,
-                Url: dialog.querySelector('#txtRepositoryUrl').value,
-                Enabled: true
-            });
+            const repositoryUrl = dialog.querySelector('#txtRepositoryUrl').value.toLowerCase();
+
+            const alertCallback = function () {
+                repositories.push({
+                    Name: dialog.querySelector('#txtRepositoryName').value,
+                    Url: dialog.querySelector('#txtRepositoryUrl').value,
+                    Enabled: true
+                });
+                saveList(view);
+                dialogHelper.close(dialog);
+            };
+
+            // Check the repository URL for the official Jellyfin repository domain, or
+            // present the warning for 3rd party plugins.
+            if (!repositoryUrl.startsWith('https://repo.jellyfin.org/')) {
+                let msg = globalize.translate('MessageRepositoryInstallDisclaimer');
+                msg += '<br/>';
+                msg += '<br/>';
+                msg += globalize.translate('PleaseConfirmRepositoryInstallation');
+
+                confirm(msg, globalize.translate('HeaderConfirmRepositoryInstallation')).then(function () {
+                    alertCallback();
+                }).catch(() => {
+                    console.debug('repository not installed');
+                    dialogHelper.close(dialog);
+                });
+            } else {
+                alertCallback();
+            }
 
-            saveList(view);
-            dialogHelper.close(dialog);
             return false;
         });
 
diff --git a/src/strings/en-us.json b/src/strings/en-us.json
index 424c3e79f9..4bb461d211 100644
--- a/src/strings/en-us.json
+++ b/src/strings/en-us.json
@@ -337,6 +337,7 @@
     "HeaderCodecProfileHelp": "Codec profiles indicate the limitations of a device when playing specific codecs. If a limitation applies then the media will be transcoded, even if the codec is configured for direct playback.",
     "HeaderConfigureRemoteAccess": "Set up Remote Access",
     "HeaderConfirmPluginInstallation": "Confirm Plugin Installation",
+    "HeaderConfirmRepositoryInstallation": "Confirm Plugin Repository Installation",
     "HeaderConfirmProfileDeletion": "Confirm Profile Deletion",
     "HeaderConfirmRevokeApiKey": "Revoke API Key",
     "HeaderConnectionFailure": "Connection Failure",
@@ -612,6 +613,7 @@
     "LabelDefaultUser": "Default user",
     "LabelDefaultUserHelp": "Determine which user library should be displayed on connected devices. This can be overridden for each device using profiles.",
     "LabelDeinterlaceMethod": "Deinterlacing method",
+    "LabelDeveloper": "Developer",
     "LabelDeviceDescription": "Device description",
     "LabelDidlMode": "DIDL mode",
     "LabelDisableCustomCss": "Disable custom CSS code for theming/branding provided from the server.",
@@ -1099,11 +1101,12 @@
     "MessagePleaseEnsureInternetMetadata": "Please ensure downloading of internet metadata is enabled.",
     "MessagePleaseWait": "Please wait. This may take a minute.",
     "MessagePluginConfigurationRequiresLocalAccess": "To set up this plugin please sign in to your local server directly.",
-    "MessagePluginInstallDisclaimer": "Plugins built by community members are a great way to enhance your experience with additional features and benefits. Before installing, please be aware of the effects they may have on your server, such as longer library scans, additional background processing, and decreased system stability.",
+    "MessagePluginInstallDisclaimer": "WARNING: Installing a third party plugin carries risks. It may contain unstable or malicious code, and may change at any time. Only install plugins from authors that you trust, and please be aware of the potential effects it may have, including external service queries, longer library scans, or additional background processing.",
     "MessagePluginInstalled": "The plugin has been successfully installed. The server will need to be restarted for changes to take effect.",
     "MessagePluginInstallError": "An error occurred while installing the plugin.",
     "MessageReenableUser": "See below to reenable",
     "MessageRenameMediaFolder": "Renaming a media library will cause all metadata to be lost, proceed with caution.",
+    "MessageRepositoryInstallDisclaimer": "WARNING: Installing a third party plugin repository carries risks. It may contain unstable or malicious code, and may change at any time. Only install repositories from authors that you trust.",
     "MessageSent": "Message sent.",
     "MessageSyncPlayCreateGroupDenied": "Permission required to create a group.",
     "MessageSyncPlayDisabled": "SyncPlay disabled.",
@@ -1318,6 +1321,7 @@
     "PlayNextEpisodeAutomatically": "Play next episode automatically",
     "PleaseAddAtLeastOneFolder": "Please add at least one folder to this library by clicking the '+' button in 'Folders' section.",
     "PleaseConfirmPluginInstallation": "Please click OK to confirm you've read the above and wish to proceed with the plugin installation.",
+    "PleaseConfirmRepositoryInstallation": "Please click OK to confirm you've read the above and wish to proceed with the plugin repository installation.",
     "PleaseEnterNameOrId": "Please enter a name or an external ID.",
     "PleaseRestartServerName": "Please restart Jellyfin on {0}.",
     "PleaseSelectTwoItems": "Please select at least two items.",
@@ -1710,5 +1714,6 @@
     "MediaInfoDvBlSignalCompatibilityId": "DV bl signal compatibility id",
     "Unreleased": "Not yet released",
     "LabelTonemappingMode": "Tone mapping mode",
-    "TonemappingModeHelp": "Select the tone mapping mode. If you experience blown out highlights try switching to the RGB mode."
+    "TonemappingModeHelp": "Select the tone mapping mode. If you experience blown out highlights try switching to the RGB mode.",
+    "Unknown": "Unknown"
 }