feat(config): allow restriction and disabling of uploads

Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`. This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads. The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`. The UI will reflect the setting and either show or hide the upload button. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2025-11-14 01:20:00 +01:00
parent 78cac1526f
commit 6d970dbafd
9 changed files with 49 additions and 16 deletions
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -57,13 +57,17 @@ async function checkUploadType (filePath) {

 // upload image
 imageRouter.post('/uploadimage', function (req, res) {
+  const uploadsEnabled = config.enableUploads
+  if (uploadsEnabled === 'none') {
+    logger.error('Image upload error: Uploads are disabled')
+    return errors.errorForbidden(res)
+  }
  if (
-    !req.isAuthenticated() &&
-    !config.allowAnonymous &&
-    !config.allowAnonymousEdits
+    uploadsEnabled === 'registered' &&
+    !req.isAuthenticated()
  ) {
    logger.error(
-      'Image upload error: Anonymous edits and therefore uploads are not allowed'
+      'Image upload error: Anonymous uploads are not allowed'
    )
    return errors.errorForbidden(res)
  }