From 5042d5720a8310577eda41b17b671fc6ad5b4b1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <jan.h.boehmer@gmx.de>
Date: Sat, 19 Oct 2019 19:55:15 +0200
Subject: [PATCH] Disable attachment file downloads by default.

---
 config/services.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/services.yaml b/config/services.yaml
index f8ae3d54..4dc13d96 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -15,7 +15,8 @@ parameters:
     secure_media_directory: 'uploads/' # The folder where secured attachment files are saved (must not be in public/)
     db_version_fallback: '5.6'  # Be sure to override this, in your .env with your real DB version
     global_theme: ''            # The theme to use globally (see public/build/themes/ for choices). Set to '' for default bootstrap theme
-    allow_attachments_downloads: true # Allow users to download attachments to server
+    # Allow users to download attachments to server. Warning: This can be dangerous, because via that feature attackers maybe can access ressources on your intranet!
+    allow_attachments_downloads: false
 
 services:
     # default configuration for services in *this* file