feat(config): allow restriction and disabling of uploads

Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

lib/config/default.js

@@ -32,6 +32,7 @@ module.exports = {
   rateLimitNewNotes: 20,
   cookiePolicy: 'lax',
   protocolUseSSL: false,
+  // permissions
   allowAnonymous: true,
   allowAnonymousEdits: false,
   allowFreeURL: false,
@@ -39,6 +40,10 @@ module.exports = {
   disableNoteCreation: false,
   forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
   defaultPermission: 'editable',
+
+  enableUploads: undefined, // 'all', 'registered', 'none' are valid options.
+  // This is undefined by default and set during runtime based on allowAnonymous and allowAnonymousEdits for backwards-compatibility unless explicitly set.
+
   dbURL: '',
   db: {},
   // ssl path

lib/config/environment.js

@@ -35,6 +35,7 @@ module.exports = {
   allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
   requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
   disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
+  enableUploads: process.env.CMD_ENABLE_UPLOADS,
   forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS),
   defaultPermission: process.env.CMD_DEFAULT_PERMISSION,
   dbURL: process.env.CMD_DB_URL,

lib/config/index.js

@@ -79,6 +79,17 @@ if (!config.allowAnonymous && !config.allowAnonymousEdits) {
 if (!(config.defaultPermission in config.permission)) {
   config.defaultPermission = config.permission.editable
 }
+if (config.enableUploads === undefined) {
+  if (!config.allowAnonymousEdits && !config.allowAnonymous) {
+    config.enableUploads = 'registered'
+  } else {
+    config.enableUploads = 'all'
+  }
+}
+if (!['all', 'registered', 'none'].includes(config.enableUploads)) {
+  logger.error('Config option "enableUploads"/CMD_ENABLE_UPLOADS is not correctly set. Please use "all", "registered" or "none". Defaulting to "all"')
+  config.enableUploads = 'all'
+}
 
 // Use HTTPS protocol if the internal TLS server is enabled
 if (config.useSSL === true) {

lib/web/imageRouter/index.js

@@ -57,13 +57,17 @@ async function checkUploadType (filePath) {
 
 // upload image
 imageRouter.post('/uploadimage', function (req, res) {
+  const uploadsEnabled = config.enableUploads
+  if (uploadsEnabled === 'none') {
+    logger.error('Image upload error: Uploads are disabled')
+    return errors.errorForbidden(res)
+  }
   if (
-    !req.isAuthenticated() &&
-    !config.allowAnonymous &&
-    !config.allowAnonymousEdits
+    uploadsEnabled === 'registered' &&
+    !req.isAuthenticated()
   ) {
     logger.error(
-      'Image upload error: Anonymous edits and therefore uploads are not allowed'
+      'Image upload error: Anonymous uploads are not allowed'
     )
     return errors.errorForbidden(res)
   }

lib/web/statusRouter.js

@@ -111,7 +111,8 @@ statusRouter.get('/config', function (req, res) {
     DROPBOX_APP_KEY: config.dropbox.appKey,
     allowedUploadMimeTypes: config.allowedUploadMimeTypes,
     linkifyHeaderStyle: config.linkifyHeaderStyle,
-    cookiePolicy: config.cookiePolicy
+    cookiePolicy: config.cookiePolicy,
+    enableUploads: config.enableUploads
   }
   res.set({
     'Cache-Control': 'private', // only cache by client