Mirror/filesafe
1
0
Fork 0
mirror of https://github.com/BobbyWibowo/lolisafe.git synced 2025-01-30 23:01:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: limit upload to specific usergroups

Browse Source
This commit is contained in:
Bobby Wibowo 2021-05-22 20:59:00 +07:00
parent 38388e90c7
commit 48488667c8
No known key found for this signature in database
GPG Key ID: 51C3A1E1E22D26CF
2 changed files with 26 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
config.sample.js
View File

@ -7,6 +7,14 @@ module.exports = {
*/ */
private: true, private: true,
/*
If set, only the specified group AND any groups higher than it
will be allowed to upload new files.
Any other groups, assuming registered, will still be able to manage their previously uploaded files.
*/
privateUploadGroup: null, // Other group names in controllers/permissionController.js
privateUploadCustomRespond: null,
/* /*
If true, users will be able to create accounts and access their uploaded files. If true, users will be able to create accounts and access their uploaded files.
*/ */
@ -283,26 +291,26 @@ module.exports = {
urlProxy: 'https://proxy.duckduckgo.com/iu/?u={url}', urlProxy: 'https://proxy.duckduckgo.com/iu/?u={url}',
/* /*
Disclaimer message that will be printed underneath the URL uploads form. Disclaimer message that will be printed underneath the URL uploads form.
Supports HTML. Be safe though. Supports HTML. Be safe though.
*/ */
urlDisclaimerMessage: 'URL uploads are being proxied by <a href="https://duckduckgo.com/" target="_blank" rel="noopener">DuckDuckGo</a>.', urlDisclaimerMessage: 'URL uploads are being proxied by <a href="https://duckduckgo.com/" target="_blank" rel="noopener">DuckDuckGo</a>.',
/* /*
Filter mode for URL uploads. Filter mode for URL uploads.
Can be 'blacklist', 'whitelist', or 'inherit'. Can be 'blacklist', 'whitelist', or 'inherit'.
'inherit' => inherit primary extensions filter (extensionsFilter option). 'inherit' => inherit primary extensions filter (extensionsFilter option).
The rest are paired with urlExtensionsFilter option below and should be self-explanatory. The rest are paired with urlExtensionsFilter option below and should be self-explanatory.
When this is not set to any of the 3 values, this will fallback to 'inherit'. When this is not set to any of the 3 values, this will fallback to 'inherit'.
*/ */
urlExtensionsFilterMode: 'whitelist', urlExtensionsFilterMode: 'whitelist',
/* /*
Mainly intended for URL proxies that only support certain extensions. Mainly intended for URL proxies that only support certain extensions.
This will parse the extensions from the URLs, so URLs that do not end with This will parse the extensions from the URLs, so URLs that do not end with
the file's extensions will always be rejected. the file's extensions will always be rejected.
Queries and segments in the URLs will be bypassed. Queries and segments in the URLs will be bypassed.
NOTE: Can not be empty when using either 'blacklist' or 'whitelist' mode. NOTE: Can not be empty when using either 'blacklist' or 'whitelist' mode.
*/ */
urlExtensionsFilter: [ urlExtensionsFilter: [
'.webp', '.webp',

6
controllers/uploadController.js
View File

@ -264,6 +264,12 @@ self.upload = async (req, res, next) => {
user = await utils.assertUser(req.headers.token) user = await utils.assertUser(req.headers.token)
} }
if (config.privateUploadGroup) {
if (!user || !perms.is(user, config.privateUploadGroup)) {
throw new ClientError(config.privateUploadCustomRespond || 'Your usergroup is not permitted to upload new files.', { statusCode: 403 })
}
}
let albumid = parseInt(req.headers.albumid || req.params.albumid) let albumid = parseInt(req.headers.albumid || req.params.albumid)
if (isNaN(albumid)) albumid = null if (isNaN(albumid)) albumid = null