Add HELPDESK_ENABLE_ATTACHMENTS setting and make it show/hide attachment related UI

Default setting is false. This is not backward compatible. The rationale is: attachments contain most likely sensitive information. By default they are served without access control. Currently there is no simple feature to configure access control. To avoid unintentional disclosure attachments should be an opt in: you have been warned.
2024-12-12 09:50:45 +01:00 · 2024-06-06 15:47:50 +02:00 · 2024-06-06 15:47:50 +02:00 · dd4c04945a
commit dd4c04945a
parent c77bb30035
5 changed files with 37 additions and 24 deletions
--- a/helpdesk/forms.py
+++ b/helpdesk/forms.py
@ -239,17 +239,18 @@ class AbstractTicketForm(CustomFieldMixin, forms.Form):
        label=_('Due on'),
    )
-    attachment = forms.FileField(
+    if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS:
-        widget=forms.FileInput(attrs={'class': 'form-control-file'}),
+        attachment = forms.FileField(
-        required=False,
+            widget=forms.FileInput(attrs={'class': 'form-control-file'}),
-        label=_('Attach File'),
+            required=False,
-        help_text=_('You can attach a file to this ticket. '
+            label=_('Attach File'),
-                    'Only file types such as plain text (.txt), '
+            help_text=_('You can attach a file to this ticket. '
-                    'a document (.pdf, .docx, or .odt), '
+                        'Only file types such as plain text (.txt), '
-                    'or screenshot (.png or .jpg) may be uploaded.'),
+                        'a document (.pdf, .docx, or .odt), '
-        validators=[validate_file_extension]
+                        'or screenshot (.png or .jpg) may be uploaded.'),
-    )
+            validators=[validate_file_extension]
-
+        )
    class Media:
        js = ('helpdesk/js/init_due_date.js',
              'helpdesk/js/init_datetime_classes.js')
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@ -56,6 +56,11 @@ HELPDESK_STAFF_VIEW_PROTECTOR = getattr(settings,
                                         'HELPDESK_STAFF_VIEW_PROTECTOR',
                                         lambda _: None)
 # Enable ticket and Email attachments
 HELPDESK_ENABLE_ATTACHMENTS = getattr(settings,
                                      'HELPDESK_ENABLE_ATTACHMENTS',
                                      False)
 # Enable the Dependencies field on ticket view
 HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET = getattr(settings,
                                                 'HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET',
--- a/helpdesk/templates/helpdesk/public_view_ticket.html
+++ b/helpdesk/templates/helpdesk/public_view_ticket.html
@ -122,7 +122,8 @@
        <input type='hidden' name='public' value='1'>
    </dl>
-
+        
 {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
 <p id='ShowFileUploadPara'><button class="btn btn-warning btn-sm"
    id='ShowFileUpload' onclick="$('#FileUpload')[0].style.display='block';return false;" >{% trans "Attach File(s) &raquo;" %}</button></p>
@ -140,7 +141,7 @@
    </dl>
 </div>
-
+{% endif %}
 </fieldset>
 <button class="btn btn-primary btn-lg" style="margin-bottom:10px" type='submit'>{% trans "Update This Ticket" %}</button>
--- a/helpdesk/templates/helpdesk/ticket.html
+++ b/helpdesk/templates/helpdesk/ticket.html
@ -54,14 +54,16 @@
                                    <li>{% blocktrans with change.field as field and change.old_value as old_value and change.new_value as new_value %}Changed {{ field }} from {{ old_value }} to {{ new_value }}.{% endblocktrans %}</li>
                                    {% if forloop.last %}</ul></div>{% endif %}
                                {% endfor %}
-                                {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
+                                {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
                                    {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
                                    <li><a href='{{ attachment.file.url }}'>{{ attachment.filename }}</a> ({{ attachment.mime_type }}, {{ attachment.size|filesizeformat }})
-                                    {% if followup.user and request.user == followup.user %}
+                                        {% if followup.user and request.user == followup.user %}
                                    <a href='{% url 'helpdesk:attachment_del' ticket.id attachment.id %}'><button class="btn btn-danger btn-sm"><i class="fas fa-trash"></i></button></a>
-                                    {% endif %}
+                                        {% endif %}
                                    </li>
-                                    {% if forloop.last %}</ul></div>{% endif %}
+                                        {% if forloop.last %}</ul></div>{% endif %}
-                                {% endfor %}
+                                    {% endfor %}
                                {% endif %}
                            </p>
                            <!--- ugly long test to suppress the following if it will be empty, to save vertical space -->
                            {% with possible=helpdesk_settings.HELPDESK_SHOW_EDIT_BUTTON_FOLLOW_UP %}
@ -105,10 +107,10 @@
                <dt><label for='commentBox'>{% trans "Comment / Resolution" %}</label></dt>
                <dd><textarea rows='8' cols='70' name='comment' id='commentBox'></textarea></dd>
-		{% url "helpdesk:help_context" as context_help_url %}
+                {% url "helpdesk:help_context" as context_help_url %}
-		{% blocktrans %}
+                {% blocktrans %}
-		<dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
+                <dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
-		{% endblocktrans %}
+                {% endblocktrans %}
                <dt><label>{% trans "New Status" %}</label></dt>
                {% if not ticket.can_be_resolved %}<dd>{% trans "This ticket cannot be resolved or closed until the tickets it depends on are resolved." %}</dd>{% endif %}
@ -197,7 +199,9 @@
            </div>
        {% endif %}
        {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
        <p id='ShowFileUploadPara'><button type="button" class="btn btn-warning btn-sm" id='ShowFileUpload'>{% trans "Attach File(s) &raquo;" %}</button></p>
        {% endif %}
        <div id='FileUpload' style='display: none;'>
@ -257,7 +261,7 @@
 {% block helpdesk_js %}
 <script type='text/javascript' language='javascript'>
 $( function() {
-	$( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
+        $( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
 } );
 </script>
--- a/helpdesk/templates/helpdesk/ticket_desc_table.html
+++ b/helpdesk/templates/helpdesk/ticket_desc_table.html
@ -149,7 +149,8 @@
                            <th class="table-active">{% trans "Knowlegebase item" %}</th>
                            <td> <a href ="{{ticket.kbitem.query_url}}"> {{ticket.kbitem}} </a> </td>
                        </tr>
-                    {% endif %}
+		    {% endif %}
 		    {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
                    <tr>
                        <th class="table-active">{% trans "Attachments" %}</th>
                        <td colspan="3">
@ -171,6 +172,7 @@
                            </ul>
                        </td>
                    </tr>
                    {% endif %}
                    <tr>
                        <th class="table-active">{% trans "Checklists" %}</th>
                        <td colspan="3">