The Globally Sandbox option in TwigEnvironment is allways TRUE, and should be optional.

Change this:

    $policy = new TwigSandboxPolicy();
    $sandbox = new \Twig_Extension_Sandbox($policy, TRUE);
    $this->addExtension($sandbox);

To this:

    $policy = new TwigSandboxPolicy();
    $sandbox = new \Twig_Extension_Sandbox($policy, $options['global_sandbox']);
    $this->addExtension($sandbox);

Comments

mayeco created an issue. See original summary.

mayeco’s picture

Cottser’s picture

Title: Glogally sandbox should in Twig Enviroment is not optional » Global sandbox policy should be optional in Twig Enviroment
Status: Active » Postponed (maintainer needs more info)

Thanks for the report. Why should we do this? It seems like global_sandbox would be a non-standard Twig option which would be really nice to avoid.

Note that you can override some things in your settings file, see https://www.drupal.org/node/2595803.

mayeco’s picture

Totally agree this is not a Twig option, is a Twig Extension option, what do you think of do it like this:

  extensions:
    sandbox:
      global: true
mayeco’s picture

Cottser’s picture

I would still like to know why you need/want this :) do you have a use case or example of why you want to turn this off?

mayeco’s picture

Cottser, sure yes, the reason is this: https://www.drupal.org/node/2600378

Cottser’s picture

I would rather do #2595805: [Followup] Implement the Twig Sandbox Policy as a service collection instead, allowing to disable the sandbox policy altogether can be dangerous. That's why we did #2513266: Twig templates can call delete() on entities and other objects.

mayeco’s picture

I added the methods needed for webprofiler to work in twig_sandbox_whitelisted_prefixes and twig_sandbox_whitelisted_methods and now is working, we can close this now thank you, https://www.drupal.org/node/2600378#comment-10489768

mayeco’s picture

Status: Postponed (maintainer needs more info) » Closed (won't fix)