Add:Server setting to allow iframe & update UI to differentiate web client settings #3684

2025-08-04 10:14:36 +02:00 · 2024-12-08 08:57:45 -06:00 · 2024-12-08 08:57:45 -06:00 · 57906540fe
commit 57906540fe
parent 726adbb3bf
6 changed files with 49 additions and 27 deletions
--- a/server/Server.js
+++ b/server/Server.js
@ -53,7 +53,6 @@ class Server {
    global.RouterBasePath = ROUTER_BASE_PATH
    global.XAccel = process.env.USE_X_ACCEL
    global.AllowCors = process.env.ALLOW_CORS === '1'
-    global.AllowIframe = process.env.ALLOW_IFRAME === '1'
    global.DisableSsrfRequestFilter = process.env.DISABLE_SSRF_REQUEST_FILTER === '1'

    if (!fs.pathExistsSync(global.ConfigPath)) {
@ -195,7 +194,7 @@ class Server {
    const app = express()

    app.use((req, res, next) => {
-      if (!global.AllowIframe) {
+      if (!global.ServerSettings.allowIframe) {
        // Prevent clickjacking by disallowing iframes
        res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
      }
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@ -126,6 +126,10 @@ class MiscController {
    if (!isObject(settingsUpdate)) {
      return res.status(400).send('Invalid settings update object')
    }
+    if (settingsUpdate.allowIframe == false && process.env.ALLOW_IFRAME === '1') {
+      Logger.warn('Cannot disable iframe when ALLOW_IFRAME is enabled in environment')
+      return res.status(400).send('Cannot disable iframe when ALLOW_IFRAME is enabled in environment')
+    }

    const madeUpdates = Database.serverSettings.update(settingsUpdate)
    if (madeUpdates) {
@ -137,7 +141,6 @@ class MiscController {
      }
    }
    return res.json({
-      success: true,
      serverSettings: Database.serverSettings.toJSONForBrowser()
    })
  }
--- a/server/objects/settings/ServerSettings.js
+++ b/server/objects/settings/ServerSettings.js
@ -24,6 +24,7 @@ class ServerSettings {
    // Security/Rate limits
    this.rateLimitLoginRequests = 10
    this.rateLimitLoginWindow = 10 * 60 * 1000 // 10 Minutes
+    this.allowIframe = false

    // Backups
    this.backupPath = Path.join(global.MetadataPath, 'backups')
@ -99,6 +100,7 @@ class ServerSettings {

    this.rateLimitLoginRequests = !isNaN(settings.rateLimitLoginRequests) ? Number(settings.rateLimitLoginRequests) : 10
    this.rateLimitLoginWindow = !isNaN(settings.rateLimitLoginWindow) ? Number(settings.rateLimitLoginWindow) : 10 * 60 * 1000 // 10 Minutes
+    this.allowIframe = !!settings.allowIframe

    this.backupPath = settings.backupPath || Path.join(global.MetadataPath, 'backups')
    this.backupSchedule = settings.backupSchedule || false
@ -190,6 +192,11 @@ class ServerSettings {
      Logger.info(`[ServerSettings] Using backup path from environment variable ${process.env.BACKUP_PATH}`)
      this.backupPath = process.env.BACKUP_PATH
    }
+
+    if (process.env.ALLOW_IFRAME === '1' && !this.allowIframe) {
+      Logger.info(`[ServerSettings] Using allowIframe from environment variable`)
+      this.allowIframe = true
+    }
  }

  toJSON() {
@ -207,6 +214,7 @@ class ServerSettings {
      metadataFileFormat: this.metadataFileFormat,
      rateLimitLoginRequests: this.rateLimitLoginRequests,
      rateLimitLoginWindow: this.rateLimitLoginWindow,
+      allowIframe: this.allowIframe,
      backupPath: this.backupPath,
      backupSchedule: this.backupSchedule,
      backupsToKeep: this.backupsToKeep,