Server: Allow disabling item upload for a user

2025-04-01 21:24:45 +02:00 · 2021-05-27 16:25:37 +02:00 · 2021-05-27 16:25:37 +02:00 · f8a26cf8f9
commit f8a26cf8f9
parent 3505a2a973
5 changed files with 35 additions and 1 deletions
--- a/packages/server/schema.sqlite
+++ b/packages/server/schema.sqlite
--- a/packages/server/src/db.ts
+++ b/packages/server/src/db.ts
@ -280,6 +280,8 @@ export interface User extends WithDates, WithUuid {
 	can_share?: number;
 	email_confirmed?: number;
 	must_set_password?: number;
+	account_type?: number;
+	can_upload?: number;
 }

 export interface Session extends WithDates, WithUuid {
@ -405,6 +407,8 @@ export const databaseSchema: DatabaseTables = {
 		can_share: { type: 'number' },
 		email_confirmed: { type: 'number' },
 		must_set_password: { type: 'number' },
+		account_type: { type: 'number' },
+		can_upload: { type: 'number' },
 	},
 	sessions: {
 		id: { type: 'string' },
--- a/packages/server/src/migrations/20210527161932_can_upload.ts
+++ b/packages/server/src/migrations/20210527161932_can_upload.ts
@ -0,0 +1,14 @@
+import { Knex } from 'knex';
+import { DbConnection } from '../db';
+
+export async function up(db: DbConnection): Promise<any> {
+	await db.schema.alterTable('users', function(table: Knex.CreateTableBuilder) {
+		table.integer('can_upload').defaultTo(1).notNullable();
+	});
+
+	await db('users').update({ can_upload: 1 });
+}
+
+export async function down(_db: DbConnection): Promise<any> {
+
+}
--- a/packages/server/src/routes/api/items.test.ts
+++ b/packages/server/src/routes/api/items.test.ts
@ -276,4 +276,18 @@ describe('api_items', function() {
 		}
 	});

+	test('should check permissions - should not allow uploading items if disabled', async function() {
+		const { user: user1, session: session1 } = await createUserAndSession(1);
+
+		await models().user().save({ id: user1.id, can_upload: 0 });
+
+		await expectHttpError(
+			async () => createNote(session1.id, {
+				id: '00000000000000000000000000000001',
+				body: '12345',
+			}),
+			ErrorForbidden.httpCode
+		);
+	});
+
 });
--- a/packages/server/src/routes/api/items.ts
+++ b/packages/server/src/routes/api/items.ts
@ -5,7 +5,7 @@ import Router from '../../utils/Router';
 import { RouteType } from '../../utils/types';
 import { AppContext } from '../../utils/types';
 import * as fs from 'fs-extra';
-import { ErrorMethodNotAllowed, ErrorNotFound } from '../../utils/errors';
+import { ErrorForbidden, ErrorMethodNotAllowed, ErrorNotFound } from '../../utils/errors';
 import ItemModel, { ItemSaveOption } from '../../models/ItemModel';
 import { requestDeltaPagination, requestPagination } from '../../models/utils/pagination';
 import { AclAction } from '../../models/BaseModel';
@ -66,6 +66,8 @@ router.get('api/items/:id/content', async (path: SubPath, ctx: AppContext) => {
 });

 router.put('api/items/:id/content', async (path: SubPath, ctx: AppContext) => {
+	if (!ctx.owner.can_upload) throw new ErrorForbidden('Uploading content is disabled');
+
 	const itemModel = ctx.models.item();
 	const name = itemModel.pathToName(path.id);
 	const parsedBody = await formParse(ctx.req);