From 18db20e5112dc3b01c83838801f3da768a663d0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sun, 26 Nov 2023 23:44:02 +0100 Subject: [PATCH] Added the option env option to configure that all new attachment files should be downloaded by default --- .docker/symfony.conf | 2 +- .env | 2 ++ config/parameters.yaml | 1 + config/services.yaml | 1 + docs/configuration.md | 3 +++ src/Form/AttachmentFormType.php | 39 ++++++++++++++++++++++++++++++--- 6 files changed, 44 insertions(+), 4 deletions(-) diff --git a/.docker/symfony.conf b/.docker/symfony.conf index 92e1edb5..de87ceb4 100644 --- a/.docker/symfony.conf +++ b/.docker/symfony.conf @@ -28,7 +28,7 @@ PassEnv APP_ENV APP_DEBUG APP_SECRET PassEnv TRUSTED_PROXIES TRUSTED_HOSTS LOCK_DSN PassEnv DATABASE_URL ENFORCE_CHANGE_COMMENTS_FOR - PassEnv DEFAULT_LANG DEFAULT_TIMEZONE BASE_CURRENCY INSTANCE_NAME ALLOW_ATTACHMENT_DOWNLOADS USE_GRAVATAR MAX_ATTACHMENT_FILE_SIZE DEFAULT_URI CHECK_FOR_UPDATES + PassEnv DEFAULT_LANG DEFAULT_TIMEZONE BASE_CURRENCY INSTANCE_NAME ALLOW_ATTACHMENT_DOWNLOADS USE_GRAVATAR MAX_ATTACHMENT_FILE_SIZE DEFAULT_URI CHECK_FOR_UPDATES ATTACHMENT_DOWNLOAD_BY_DEFAULT PassEnv MAILER_DSN ALLOW_EMAIL_PW_RESET EMAIL_SENDER_EMAIL EMAIL_SENDER_NAME PassEnv HISTORY_SAVE_CHANGED_FIELDS HISTORY_SAVE_CHANGED_DATA HISTORY_SAVE_REMOVED_DATA HISTORY_SAVE_NEW_DATA PassEnv ERROR_PAGE_ADMIN_EMAIL ERROR_PAGE_SHOW_HELP diff --git a/.env b/.env index 115f5c5b..c1a3d63c 100644 --- a/.env +++ b/.env @@ -29,6 +29,8 @@ INSTANCE_NAME="Part-DB" # Allow users to download attachments to the server by providing an URL # This could be a potential security issue, as the user can retrieve any file the server has access to (via internet) ALLOW_ATTACHMENT_DOWNLOADS=0 +# Set this to 1, if the "download external files" checkbox should be checked by default for new attachments +ATTACHMENT_DOWNLOAD_BY_DEFAULT=0 # Use gravatars for user avatars, when user has no own avatar defined USE_GRAVATAR=0 # The maximum allowed size for attachment files in bytes (you can use M for megabytes and G for gigabytes) diff --git a/config/parameters.yaml b/config/parameters.yaml index 9839bcf5..8c2bad17 100644 --- a/config/parameters.yaml +++ b/config/parameters.yaml @@ -35,6 +35,7 @@ parameters: # Attachments and files ###################################################################################################################### partdb.attachments.allow_downloads: '%env(bool:ALLOW_ATTACHMENT_DOWNLOADS)%' # Allow users to download attachments to server. Warning: This can be dangerous, because via that feature attackers maybe can access ressources on your intranet! + partdb.attachments.download_by_default: '%env(bool:ATTACHMENT_DOWNLOAD_BY_DEFAULT)%' # If this is set the 'download external files' checkbox is set by default for new attachments (only if allow_downloads is set to true) partdb.attachments.dir.media: 'public/media/' # The folder where uploaded attachment files are saved (must be in public folder) partdb.attachments.dir.secure: 'uploads/' # The folder where secured attachment files are saved (must not be in public/) partdb.attachments.max_file_size: '%env(string:MAX_ATTACHMENT_FILE_SIZE)%' # The maximum size of an attachment file (in bytes, you can use M for megabytes and G for gigabytes) diff --git a/config/services.yaml b/config/services.yaml index 5b8dd51f..7f442fb3 100644 --- a/config/services.yaml +++ b/config/services.yaml @@ -93,6 +93,7 @@ services: arguments: $allow_attachments_download: '%partdb.attachments.allow_downloads%' $max_file_size: '%partdb.attachments.max_file_size%' + $download_by_default: '%partdb.attachments.download_by_default%' App\Services\Attachments\AttachmentSubmitHandler: arguments: diff --git a/docs/configuration.md b/docs/configuration.md index 3acb6a2d..7a5daa53 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -53,6 +53,9 @@ options listed, see `.env` file for full list of possible env variables. download a file specified as a URL and create it as local file. Please note that this allows users access to all resources publicly available to the server (so full access to other servers in the same local network), which could be a security risk. +* `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default + when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments + locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1. * `USE_GRAVATAR`: Set to `1` to use [gravatar.com](https://gravatar.com/) images for user avatars (as long as they have not set their own picture). The users browsers have to download the pictures from a third-party (gravatar) server, so this might be a privacy risk. diff --git a/src/Form/AttachmentFormType.php b/src/Form/AttachmentFormType.php index 71c0bedd..66ebb37c 100644 --- a/src/Form/AttachmentFormType.php +++ b/src/Form/AttachmentFormType.php @@ -48,8 +48,16 @@ use Symfony\Contracts\Translation\TranslatorInterface; class AttachmentFormType extends AbstractType { - public function __construct(protected AttachmentManager $attachment_helper, protected UrlGeneratorInterface $urlGenerator, protected Security $security, protected AttachmentSubmitHandler $submitHandler, protected TranslatorInterface $translator, protected bool $allow_attachments_download, protected string $max_file_size) - { + public function __construct( + protected AttachmentManager $attachment_helper, + protected UrlGeneratorInterface $urlGenerator, + protected Security $security, + protected AttachmentSubmitHandler $submitHandler, + protected TranslatorInterface $translator, + protected bool $allow_attachments_download, + protected bool $download_by_default, + protected string $max_file_size + ) { } public function buildForm(FormBuilderInterface $builder, array $options): void @@ -85,7 +93,8 @@ class AttachmentFormType extends AbstractType 'required' => false, 'attr' => [ 'data-controller' => 'elements--attachment-autocomplete', - 'data-autocomplete' => $this->urlGenerator->generate('typeahead_builtInRessources', ['query' => '__QUERY__']), + 'data-autocomplete' => $this->urlGenerator->generate('typeahead_builtInRessources', + ['query' => '__QUERY__']), //Disable browser autocomplete 'autocomplete' => 'off', ], @@ -159,6 +168,30 @@ class AttachmentFormType extends AbstractType } } ); + + //If the attachment should be downloaded by default (and is download allowed at all), register a listener, + // which sets the downloadURL checkbox to true for new attachments + if ($this->download_by_default && $this->allow_attachments_download) { + $builder->addEventListener(FormEvents::POST_SET_DATA, function (FormEvent $event): void { + $form = $event->getForm(); + $attachment = $form->getData(); + + if (!$attachment instanceof Attachment && $attachment !== null) { + return; + } + + //If the attachment was not created yet, set the downloadURL checkbox to true + if ($attachment === null || $attachment->getId() === null) { + $checkbox = $form->get('downloadURL'); + //Ensure that the checkbox is not disabled + if ($checkbox->isDisabled()) { + return; + } + //Set the checkbox + $checkbox->setData(true); + } + }); + } } public function configureOptions(OptionsResolver $resolver): void