FileUpload options for Server Config (#7071)

* New: fileUpload options to restrict file uploads * review changes * update review * Update helper.js * added complete fileUpload values for tests * fixed config validation * allow file upload only for authenicated user by default * fixed inconsistent error messages * consolidated and extended tests * minor compacting * removed irregular whitespace * added changelog entry * always allow file upload with master key * fix lint * removed fit Co-authored-by: Manuel Trezza <trezza.m@gmail.com>
2020-12-17 20:16:37 +11:00
parent c46e8a525d
commit 97c3046f3f
9 changed files with 836 additions and 563 deletions
--- a/src/Routers/FilesRouter.js
+++ b/src/Routers/FilesRouter.js
@@ -94,6 +94,27 @@ export class FilesRouter {

  async createHandler(req, res, next) {
    const config = req.config;
+    const user = req.auth.user;
+    const isMaster = req.auth.isMaster;
+    const isLinked = user && Parse.AnonymousUtils.isLinked(user);
+    if (!isMaster && !config.fileUpload.enableForAnonymousUser && isLinked) {
+      next(new Parse.Error(
+        Parse.Error.FILE_SAVE_ERROR,
+        'File upload by anonymous user is disabled.'
+      ));
+      return;
+    }
+    if (!isMaster && !config.fileUpload.enableForAuthenticatedUser && !isLinked && user) {
+      next(new Parse.Error(
+        Parse.Error.FILE_SAVE_ERROR,
+        'File upload by authenticated user is disabled.'
+      ));
+      return;
+    }
+    if (!isMaster && !config.fileUpload.enableForPublic && !user) {
+      next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is disabled.'));
+      return;
+    }
    const filesController = config.filesController;
    const { filename } = req.params;
    const contentType = req.get('Content-type');