From fe465867e9c42047fe1d096c4a9a0474a4f9e417 Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 7 Dec 2023 12:45:44 -0500
Subject: [PATCH 1/2] add the config option to disable uploads and downloads

---
 .../app/controllers/files_controller.rb       | 25 +++++++++++++++----
 .../app/views/files/_download_button.html.erb |  5 ++++
 .../views/files/_file_action_menu.html.erb    |  2 ++
 .../app/views/files/_inline_js.html.erb       |  2 +-
 .../app/views/files/_upload_button.html.erb   |  5 ++++
 apps/dashboard/app/views/files/index.html.erb |  4 +--
 .../app/views/files/index.json.jbuilder       |  2 +-
 .../config/configuration_singleton.rb         |  2 ++
 apps/dashboard/config/locales/en.yml          |  1 +
 apps/dashboard/config/routes.rb               |  2 +-
 10 files changed, 40 insertions(+), 10 deletions(-)
 create mode 100644 apps/dashboard/app/views/files/_download_button.html.erb
 create mode 100644 apps/dashboard/app/views/files/_upload_button.html.erb

diff --git a/apps/dashboard/app/controllers/files_controller.rb b/apps/dashboard/app/controllers/files_controller.rb
index f737a4a57b..b71e581d59 100644
--- a/apps/dashboard/app/controllers/files_controller.rb
+++ b/apps/dashboard/app/controllers/files_controller.rb
@@ -13,7 +13,7 @@ def fs
     if @path.directory?
       @path.raise_if_cant_access_directory_contents
 
-      request.format = 'zip' if params[:download]
+      request.format = 'zip' if download?
 
       respond_to do |format|
 
@@ -25,7 +25,12 @@ def fs
           response.headers['Cache-Control'] = 'no-store'
           if params[:can_download]
             # check to see if this directory can be downloaded as a zip
-            can_download, error_message = @path.can_download_as_zip?
+            can_download, error_message = if ::Configuration.download_enabled?
+                                            @path.can_download_as_zip?
+                                          else
+                                            [false, t('dashboard.files_download_not_enabled')]
+                                          end
+
             render json: { can_download: can_download, error_message: error_message }
           else
             @files = @path.ls
@@ -39,7 +44,11 @@ def fs
         # and we can avoid rescuing in a block so we can reintroduce
         # the block braces which is the Rails convention with the respond_to formats.
         format.zip do
-          can_download, error_message = @path.can_download_as_zip?
+          can_download, error_message = if ::Configuration.download_enabled?
+                                          @path.can_download_as_zip?
+                                        else
+                                          raise(StandardError, t('dashboard.files_download_not_enabled'))
+                                        end
 
           if can_download
             zipname = @path.basename.to_s.gsub('"', '\"') + '.zip'
@@ -211,6 +220,10 @@ def posix_file?
     @path.is_a?(PosixFile)
   end
 
+  def download?
+    params[:download]
+  end
+
   def uppy_upload_path
     # careful:
     #
@@ -226,6 +239,8 @@ def uppy_upload_path
   end
 
   def show_file
+    raise(StandardError, t('dashboard.files_download_not_enabled')) unless ::Configuration.download_enabled?
+
     if posix_file?
       send_posix_file
     else
@@ -237,7 +252,7 @@ def send_posix_file
     type = Files.mime_type_by_extension(@path).presence || PosixFile.new(@path).mime_type
 
     # svgs aren't safe to view until we update our CSP
-    if params[:download] || type.to_s == 'image/svg+xml'
+    if download? || type.to_s == 'image/svg+xml'
       type = 'text/plain; charset=utf-8' if type.to_s == 'image/svg+xml'
       send_file @path, type: type
     else
@@ -261,7 +276,7 @@ def send_remote_file
     end
 
     # svgs aren't safe to view until we update our CSP
-    download = params[:download] || type.to_s == "image/svg+xml"
+    download = download? || type.to_s == "image/svg+xml"
     type = "text/plain; charset=utf-8" if type.to_s == "image/svg+xml"
 
     response.set_header('X-Accel-Buffering', 'no')
diff --git a/apps/dashboard/app/views/files/_download_button.html.erb b/apps/dashboard/app/views/files/_download_button.html.erb
new file mode 100644
index 0000000000..bb41c6a1c9
--- /dev/null
+++ b/apps/dashboard/app/views/files/_download_button.html.erb
@@ -0,0 +1,5 @@
+<%- if Configuration.download_enabled? -%>
+<button id="download-btn" type="button" class="btn btn-primary btn-sm">
+  <i class="fas fa-download" aria-hidden="true"></i> Download
+</button>
+<%- end -%>
\ No newline at end of file
diff --git a/apps/dashboard/app/views/files/_file_action_menu.html.erb b/apps/dashboard/app/views/files/_file_action_menu.html.erb
index f687118377..cf386678e7 100755
--- a/apps/dashboard/app/views/files/_file_action_menu.html.erb
+++ b/apps/dashboard/app/views/files/_file_action_menu.html.erb
@@ -13,7 +13,9 @@
         <li><a href="{{data.edit_url}}" class="edit-file dropdown-item" target="_blank" data-row-index="{{row_index}}"><i class="fas fa-edit" aria-hidden="true"></i> Edit</a></li>
       {{/if}}
       <li><a href="#" class="rename-file dropdown-item" data-row-index="{{row_index}}"><i class="fas fa-font" aria-hidden="true"></i> Rename</a></li>
+      <%- if Configuration.download_enabled? -%>
       <li><a href="{{data.download_url}}" class="download-file dropdown-item" data-row-index="{{row_index}}"><i class="fas fa-download" aria-hidden="true"></i> Download</a></li>
+      <%- end -%>
       <li class="dropdown-divider mt-4"></li>
       <li><a href="#" class="delete-file dropdown-item text-danger" data-row-index="{{row_index}}"><i class="fas fa-trash" aria-hidden="true"></i> Delete</a></li>
     </ul>
diff --git a/apps/dashboard/app/views/files/_inline_js.html.erb b/apps/dashboard/app/views/files/_inline_js.html.erb
index 4619d5d957..4bae262bb1 100755
--- a/apps/dashboard/app/views/files/_inline_js.html.erb
+++ b/apps/dashboard/app/views/files/_inline_js.html.erb
@@ -6,7 +6,7 @@ history.replaceState({
   currentDirectoryUrl: '<%= files_path(@filesystem, @path) %>',
   currentDirectoryUpdatedAt: '<%= Time.now.to_i %>',
   currentFilesPath: '<%= files_path(@filesystem, '/') %>',
-  currentFilesUploadPath: '<%= url_for(fs: @filesystem, action: 'upload') %>',
+  currentFilesUploadPath: '<%= url_for(fs: @filesystem, action: 'upload') if Configuration.upload_enabled? %>',
   currentFilesystem: '<%= @filesystem %>'
 }, null);
 
diff --git a/apps/dashboard/app/views/files/_upload_button.html.erb b/apps/dashboard/app/views/files/_upload_button.html.erb
new file mode 100644
index 0000000000..6a68bd8201
--- /dev/null
+++ b/apps/dashboard/app/views/files/_upload_button.html.erb
@@ -0,0 +1,5 @@
+<%- if Configuration.upload_enabled? -%>
+<button id="upload-btn" type="button" class="btn btn-primary btn-sm">
+  <i class="fas fa-upload" aria-hidden="true"></i> Upload
+</button>
+<%- end -%>
\ No newline at end of file
diff --git a/apps/dashboard/app/views/files/index.html.erb b/apps/dashboard/app/views/files/index.html.erb
index 8a9b32d9eb..7838216ca4 100644
--- a/apps/dashboard/app/views/files/index.html.erb
+++ b/apps/dashboard/app/views/files/index.html.erb
@@ -9,8 +9,8 @@
     <button id="refresh-btn" type="button" class="btn btn-outline-dark btn-sm"><i class="fa fa-rotate-right" aria-hidden="true"></i> Refresh</button>
     <button id="new-file-btn" type="button" class="btn btn-outline-dark btn-sm"><i class="fas fa-plus" aria-hidden="true"></i> New File</button>
     <button id="new-dir-btn" type="button" class="btn btn-outline-dark btn-sm"><i class="fas fa-folder-plus" aria-hidden="true"></i> New Directory</button>
-    <button id="upload-btn" type="button" class="btn btn-primary btn-sm"><i class="fas fa-upload" aria-hidden="true"></i> Upload</button>
-    <button id="download-btn" type="button" class="btn btn-primary btn-sm"><i class="fas fa-download" aria-hidden="true"></i> Download</button>
+    <%= render(partial: 'upload_button') %>
+    <%= render(partial: 'download_button') %>
     <% if Configuration.globus_endpoints %>
       <%= render partial: 'globus' %>
     <% end %>
diff --git a/apps/dashboard/app/views/files/index.json.jbuilder b/apps/dashboard/app/views/files/index.json.jbuilder
index 9f2d425ccc..860f84b224 100644
--- a/apps/dashboard/app/views/files/index.json.jbuilder
+++ b/apps/dashboard/app/views/files/index.json.jbuilder
@@ -3,7 +3,7 @@ json.url files_path(@filesystem, @path).to_s
 #TODO: support array of shell urls, along with the default shell url which could be above
 json.shell_url OodAppkit.shell.url(path: @path.to_s).to_s
 json.files_path files_path(@filesystem, '/')
-json.files_upload_path url_for(fs: @filesystem, action: 'upload')
+json.files_upload_path url_for(fs: @filesystem, action: 'upload') if Configuration.upload_enabled?
 json.filesystem @filesystem
 
 json.files @files do |f|
diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb
index c2671a3a0b..1ea77bc711 100644
--- a/apps/dashboard/config/configuration_singleton.rb
+++ b/apps/dashboard/config/configuration_singleton.rb
@@ -50,6 +50,8 @@ def boolean_configs
       :cancel_session_enabled       => false,
       :hide_app_version             => false,
       :motd_render_html             => false,
+      :upload_enabled               => true,
+      :download_enabled             => true,
     }.freeze
   end
 
diff --git a/apps/dashboard/config/locales/en.yml b/apps/dashboard/config/locales/en.yml
index cec98ab4f2..3281b7e0c2 100644
--- a/apps/dashboard/config/locales/en.yml
+++ b/apps/dashboard/config/locales/en.yml
@@ -209,6 +209,7 @@ en:
 
     recently_used_apps_title: 'Recently Used Apps'
 
+    files_download_not_enabled: "Downloading files is not enabled on this server."
     files_directory_download_error_modal_title: "Directory too large to download"
     files_directory_download_unauthorized: "You can only download a directory as zip that you have read and execute access to"
     files_directory_download_size_0: "The directory size is 0 and has no contents for download."
diff --git a/apps/dashboard/config/routes.rb b/apps/dashboard/config/routes.rb
index d5bdf85e4a..d28a6bad9b 100644
--- a/apps/dashboard/config/routes.rb
+++ b/apps/dashboard/config/routes.rb
@@ -25,7 +25,7 @@
       get "files/api/v1/:fs(/*filepath)" => "files#fs", :defaults => { :fs => 'fs', :format => 'html' }, :format => false
       put "files/api/v1/:fs/*filepath" => "files#update", :format => false, :defaults => { :fs => 'fs', :format => 'json' }
     end
-    post "files/upload/:fs" => "files#upload", :defaults => { :fs => 'fs' }
+    post "files/upload/:fs" => "files#upload", :defaults => { :fs => 'fs' } if Configuration.upload_enabled?
 
     get "files", to: redirect("files/fs#{Dir.home}")
 

From 0f2ec4d7dc1795da8cd4f851c0062660351b3871 Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Thu, 7 Dec 2023 13:01:53 -0500
Subject: [PATCH 2/2] add newlines to these files

---
 apps/dashboard/app/views/files/_download_button.html.erb | 2 +-
 apps/dashboard/app/views/files/_upload_button.html.erb   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/dashboard/app/views/files/_download_button.html.erb b/apps/dashboard/app/views/files/_download_button.html.erb
index bb41c6a1c9..cfb42f21ef 100644
--- a/apps/dashboard/app/views/files/_download_button.html.erb
+++ b/apps/dashboard/app/views/files/_download_button.html.erb
@@ -2,4 +2,4 @@
 <button id="download-btn" type="button" class="btn btn-primary btn-sm">
   <i class="fas fa-download" aria-hidden="true"></i> Download
 </button>
-<%- end -%>
\ No newline at end of file
+<%- end -%>
diff --git a/apps/dashboard/app/views/files/_upload_button.html.erb b/apps/dashboard/app/views/files/_upload_button.html.erb
index 6a68bd8201..5d312a0063 100644
--- a/apps/dashboard/app/views/files/_upload_button.html.erb
+++ b/apps/dashboard/app/views/files/_upload_button.html.erb
@@ -2,4 +2,4 @@
 <button id="upload-btn" type="button" class="btn btn-primary btn-sm">
   <i class="fas fa-upload" aria-hidden="true"></i> Upload
 </button>
-<%- end -%>
\ No newline at end of file
+<%- end -%>