mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow to configure if user is allowed to download URLs via env vars.

Browse source
This commit is contained in:
Jan Böhmer 2020-06-01 21:55:56 +02:00
parent 7de2137370
commit 8a12b3abfe
2 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.env
View file

@ -31,6 +31,10 @@ DATABASE_URL=mysql://root:@127.0.0.1:3306/part-db?serverVersion=5.7
### Custom vars
# Allow users to download attachments to the server by providing an URL
# This could be a potential security issue, as the user can retrieve any file the server has access to (via internet)
ALLOW_ATTACHMENT_DOWNLOADS=0
FIXER_API_KEY=CHANGEME
# Change this to true, if no url rewriting (like mod_rewrite for Apache) is available

8
config/parameters.yaml
View file

@ -29,7 +29,7 @@ parameters:
######################################################################################################################
# Attachments and files
######################################################################################################################
partdb.attachments.allow_downloads: false # Allow users to download attachments to server. Warning: This can be dangerous, because via that feature attackers maybe can access ressources on your intranet!
partdb.attachments.allow_downloads: '%env(bool:ALLOW_ATTACHMENT_DOWNLOADS)%' # Allow users to download attachments to server. Warning: This can be dangerous, because via that feature attackers maybe can access ressources on your intranet!
partdb.attachments.dir.media: 'public/media/' # The folder where uploaded attachment files are saved (must be in public folder)
partdb.attachments.dir.secure: 'uploads/' # The folder where secured attachment files are saved (must not be in public/)
@ -44,6 +44,10 @@ parameters:
######################################################################################################################
partdb.demo_mode: '%env(bool:DEMO_MODE)%' # If set to true, all potentially dangerous things are disabled (like changing passwords of the own user)
######################################################################################################################
# Env default values
######################################################################################################################
env(DEMO_MODE): 0
env(ALLOW_ATTACHMENT_DOWNLOADS): 0