sa6anw/hedgedoc-hedgeagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(config): allow restriction and disabling of uploads

Browse Source 
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit is contained in:
Erik Michelson
2025-11-14 01:20:00 +01:00
parent 78cac1526f
commit 6d970dbafd
9 changed files with 49 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/config/default.js
View File

@@ -32,6 +32,7 @@ module.exports = {
rateLimitNewNotes: 20,
cookiePolicy: 'lax',
protocolUseSSL: false,
// permissions
allowAnonymous: true,
allowAnonymousEdits: false,
allowFreeURL: false,
@@ -39,6 +40,10 @@ module.exports = {
disableNoteCreation: false,
forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
defaultPermission: 'editable',
enableUploads: undefined, // 'all', 'registered', 'none' are valid options.
// This is undefined by default and set during runtime based on allowAnonymous and allowAnonymousEdits for backwards-compatibility unless explicitly set.
dbURL: '',
db: {},
// ssl path

1
lib/config/environment.js
View File

@@ -35,6 +35,7 @@ module.exports = {
allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
enableUploads: process.env.CMD_ENABLE_UPLOADS,
forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS),
defaultPermission: process.env.CMD_DEFAULT_PERMISSION,
dbURL: process.env.CMD_DB_URL,

11
lib/config/index.js
View File

@@ -79,6 +79,17 @@ if (!config.allowAnonymous && !config.allowAnonymousEdits) {
if (!(config.defaultPermission in config.permission)) {
config.defaultPermission = config.permission.editable
}
if (config.enableUploads === undefined) {
if (!config.allowAnonymousEdits && !config.allowAnonymous) {
config.enableUploads = 'registered'
} else {
config.enableUploads = 'all'
}
}
if (!['all', 'registered', 'none'].includes(config.enableUploads)) {
logger.error('Config option "enableUploads"/CMD_ENABLE_UPLOADS is not correctly set. Please use "all", "registered" or "none". Defaulting to "all"')
config.enableUploads = 'all'
}
// Use HTTPS protocol if the internal TLS server is enabled
if (config.useSSL === true) {