From dd4c04945ab02dff7fce637dc17f2896b388e987 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Thu, 6 Jun 2024 15:47:50 +0200
Subject: [PATCH] Add HELPDESK_ENABLE_ATTACHMENTS setting and make it show/hide
 attachment related UI

Default setting is false. This is not backward compatible.
The rationale is: attachments contain most likely sensitive information.
By default they are served without access control.  Currently there is
no simple feature to configure access control.  To avoid unintentional
disclosure attachments should be an opt in: you have been warned.
---
 helpdesk/forms.py                             | 23 +++++++++---------
 helpdesk/settings.py                          |  5 ++++
 .../helpdesk/public_view_ticket.html          |  5 ++--
 helpdesk/templates/helpdesk/ticket.html       | 24 +++++++++++--------
 .../templates/helpdesk/ticket_desc_table.html |  4 +++-
 5 files changed, 37 insertions(+), 24 deletions(-)

diff --git a/helpdesk/forms.py b/helpdesk/forms.py
index eb77c2e6..3124f281 100644
--- a/helpdesk/forms.py
+++ b/helpdesk/forms.py
@@ -239,17 +239,18 @@ class AbstractTicketForm(CustomFieldMixin, forms.Form):
         label=_('Due on'),
     )
 
-    attachment = forms.FileField(
-        widget=forms.FileInput(attrs={'class': 'form-control-file'}),
-        required=False,
-        label=_('Attach File'),
-        help_text=_('You can attach a file to this ticket. '
-                    'Only file types such as plain text (.txt), '
-                    'a document (.pdf, .docx, or .odt), '
-                    'or screenshot (.png or .jpg) may be uploaded.'),
-        validators=[validate_file_extension]
-    )
-
+    if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS:
+        attachment = forms.FileField(
+            widget=forms.FileInput(attrs={'class': 'form-control-file'}),
+            required=False,
+            label=_('Attach File'),
+            help_text=_('You can attach a file to this ticket. '
+                        'Only file types such as plain text (.txt), '
+                        'a document (.pdf, .docx, or .odt), '
+                        'or screenshot (.png or .jpg) may be uploaded.'),
+            validators=[validate_file_extension]
+        )
+        
     class Media:
         js = ('helpdesk/js/init_due_date.js',
               'helpdesk/js/init_datetime_classes.js')
diff --git a/helpdesk/settings.py b/helpdesk/settings.py
index 2235e7d5..6d83ed63 100644
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@@ -56,6 +56,11 @@ HELPDESK_STAFF_VIEW_PROTECTOR = getattr(settings,
                                          'HELPDESK_STAFF_VIEW_PROTECTOR',
                                          lambda _: None)
 
+# Enable ticket and Email attachments
+HELPDESK_ENABLE_ATTACHMENTS = getattr(settings,
+                                      'HELPDESK_ENABLE_ATTACHMENTS',
+                                      False)
+
 # Enable the Dependencies field on ticket view
 HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET = getattr(settings,
                                                  'HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET',
diff --git a/helpdesk/templates/helpdesk/public_view_ticket.html b/helpdesk/templates/helpdesk/public_view_ticket.html
index 77de5af1..ee36e304 100644
--- a/helpdesk/templates/helpdesk/public_view_ticket.html
+++ b/helpdesk/templates/helpdesk/public_view_ticket.html
@@ -122,7 +122,8 @@
         <input type='hidden' name='public' value='1'>
 
     </dl>
-
+        
+{% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
 <p id='ShowFileUploadPara'><button class="btn btn-warning btn-sm"
     id='ShowFileUpload' onclick="$('#FileUpload')[0].style.display='block';return false;" >{% trans "Attach File(s) &raquo;" %}</button></p>
 
@@ -140,7 +141,7 @@
     </dl>
 
 </div>
-
+{% endif %}
 </fieldset>
 
 <button class="btn btn-primary btn-lg" style="margin-bottom:10px" type='submit'>{% trans "Update This Ticket" %}</button>
diff --git a/helpdesk/templates/helpdesk/ticket.html b/helpdesk/templates/helpdesk/ticket.html
index b61743f7..652988e0 100644
--- a/helpdesk/templates/helpdesk/ticket.html
+++ b/helpdesk/templates/helpdesk/ticket.html
@@ -54,14 +54,16 @@
                                     <li>{% blocktrans with change.field as field and change.old_value as old_value and change.new_value as new_value %}Changed {{ field }} from {{ old_value }} to {{ new_value }}.{% endblocktrans %}</li>
                                     {% if forloop.last %}</ul></div>{% endif %}
                                 {% endfor %}
-                                {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
+                                {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+                                    {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
                                     <li><a href='{{ attachment.file.url }}'>{{ attachment.filename }}</a> ({{ attachment.mime_type }}, {{ attachment.size|filesizeformat }})
-                                    {% if followup.user and request.user == followup.user %}
+                                        {% if followup.user and request.user == followup.user %}
                                     <a href='{% url 'helpdesk:attachment_del' ticket.id attachment.id %}'><button class="btn btn-danger btn-sm"><i class="fas fa-trash"></i></button></a>
-                                    {% endif %}
+                                        {% endif %}
                                     </li>
-                                    {% if forloop.last %}</ul></div>{% endif %}
-                                {% endfor %}
+                                        {% if forloop.last %}</ul></div>{% endif %}
+                                    {% endfor %}
+                                {% endif %}
                             </p>
                             <!--- ugly long test to suppress the following if it will be empty, to save vertical space -->
                             {% with possible=helpdesk_settings.HELPDESK_SHOW_EDIT_BUTTON_FOLLOW_UP %}
@@ -105,10 +107,10 @@
 
                 <dt><label for='commentBox'>{% trans "Comment / Resolution" %}</label></dt>
                 <dd><textarea rows='8' cols='70' name='comment' id='commentBox'></textarea></dd>
-		{% url "helpdesk:help_context" as context_help_url %}
-		{% blocktrans %}
-		<dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
-		{% endblocktrans %}
+                {% url "helpdesk:help_context" as context_help_url %}
+                {% blocktrans %}
+                <dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
+                {% endblocktrans %}
 
                 <dt><label>{% trans "New Status" %}</label></dt>
                 {% if not ticket.can_be_resolved %}<dd>{% trans "This ticket cannot be resolved or closed until the tickets it depends on are resolved." %}</dd>{% endif %}
@@ -197,7 +199,9 @@
             </div>
         {% endif %}
 
+        {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
         <p id='ShowFileUploadPara'><button type="button" class="btn btn-warning btn-sm" id='ShowFileUpload'>{% trans "Attach File(s) &raquo;" %}</button></p>
+        {% endif %}
 
         <div id='FileUpload' style='display: none;'>
 
@@ -257,7 +261,7 @@
 {% block helpdesk_js %}
 <script type='text/javascript' language='javascript'>
 $( function() {
-	$( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
+        $( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
 } );
 </script>
 
diff --git a/helpdesk/templates/helpdesk/ticket_desc_table.html b/helpdesk/templates/helpdesk/ticket_desc_table.html
index 8cf00829..21a46e5a 100644
--- a/helpdesk/templates/helpdesk/ticket_desc_table.html
+++ b/helpdesk/templates/helpdesk/ticket_desc_table.html
@@ -149,7 +149,8 @@
                             <th class="table-active">{% trans "Knowlegebase item" %}</th>
                             <td> <a href ="{{ticket.kbitem.query_url}}"> {{ticket.kbitem}} </a> </td>
                         </tr>
-                    {% endif %}
+		    {% endif %}
+		    {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
                     <tr>
                         <th class="table-active">{% trans "Attachments" %}</th>
                         <td colspan="3">
@@ -171,6 +172,7 @@
                             </ul>
                         </td>
                     </tr>
+                    {% endif %}
                     <tr>
                         <th class="table-active">{% trans "Checklists" %}</th>
                         <td colspan="3">