From 2ea052ba5e4c041e4aae3c531cec40b23422843c Mon Sep 17 00:00:00 2001
From: Miro Prasil <miro@circleci.com>
Date: Sun, 16 Feb 2020 21:03:56 +0000
Subject: [PATCH] Allow disabling attachment uploading

This adds an configuration option to disable uploading attachments in
cases where running out of space on server is a concern for example.

This was raised in #865 and seems like worthwhile addition.
---
 src/api/core/ciphers.rs | 28 ++++++++++++++++++++++++----
 src/config.rs           |  2 ++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/api/core/ciphers.rs b/src/api/core/ciphers.rs
index 2ffa694b..1be3654a 100644
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@@ -631,8 +631,7 @@ fn share_cipher_by_uuid(
     }
 }
 
-#[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
-fn post_attachment(
+fn _post_attachment(
     uuid: String,
     data: Data,
     content_type: &ContentType,
@@ -704,6 +703,23 @@ fn post_attachment(
     Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, &conn)))
 }
 
+#[post("/ciphers/<uuid>/attachment", format = "multipart/form-data", data = "<data>")]
+fn post_attachment(
+    uuid: String,
+    data: Data,
+    content_type: &ContentType,
+    headers: Headers,
+    conn: DbConn,
+    nt: Notify,
+) -> JsonResult {
+    if CONFIG.disable_attachments() {
+        err!("Uploading attachments is not allowed on server")
+    }
+
+    _post_attachment(uuid, data, content_type, headers, conn, nt)
+}
+
+
 #[post("/ciphers/<uuid>/attachment-admin", format = "multipart/form-data", data = "<data>")]
 fn post_attachment_admin(
     uuid: String,
@@ -713,7 +729,11 @@ fn post_attachment_admin(
     conn: DbConn,
     nt: Notify,
 ) -> JsonResult {
-    post_attachment(uuid, data, content_type, headers, conn, nt)
+    if CONFIG.disable_attachments() {
+        err!("Uploading attachments is not allowed on server")
+    }
+
+    _post_attachment(uuid, data, content_type, headers, conn, nt)
 }
 
 #[post(
@@ -731,7 +751,7 @@ fn post_attachment_share(
     nt: Notify,
 ) -> JsonResult {
     _delete_cipher_attachment_by_id(&uuid, &attachment_id, &headers, &conn, &nt)?;
-    post_attachment(uuid, data, content_type, headers, conn, nt)
+    _post_attachment(uuid, data, content_type, headers, conn, nt)
 }
 
 #[post("/ciphers/<uuid>/attachment/<attachment_id>/delete-admin")]
diff --git a/src/config.rs b/src/config.rs
index 2551d21e..cb2b30f4 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -250,6 +250,8 @@ make_config! {
         /// $ICON_CACHE_FOLDER, but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
         /// otherwise it will delete them and they won't be downloaded again.
         disable_icon_download:  bool,   true,   def,    false;
+        /// Disable uploading attachments. |> Set this to true to disable uploading attachments. Already uploaded attachments will continue to work.
+        disable_attachments:  bool,   true,   def,    false;
         /// Allow new signups |> Controls if new users can register. Note that while this is disabled, users could still be invited
         signups_allowed:        bool,   true,   def,    true;
         /// Require email verification on signups. This will prevent logins from succeeding until the address has been verified