From dd4c04945ab02dff7fce637dc17f2896b388e987 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Thu, 6 Jun 2024 15:47:50 +0200
Subject: [PATCH 01/10] Add HELPDESK_ENABLE_ATTACHMENTS setting and make it
 show/hide attachment related UI

Default setting is false. This is not backward compatible.
The rationale is: attachments contain most likely sensitive information.
By default they are served without access control.  Currently there is
no simple feature to configure access control.  To avoid unintentional
disclosure attachments should be an opt in: you have been warned.
---
 helpdesk/forms.py                             | 23 +++++++++---------
 helpdesk/settings.py                          |  5 ++++
 .../helpdesk/public_view_ticket.html          |  5 ++--
 helpdesk/templates/helpdesk/ticket.html       | 24 +++++++++++--------
 .../templates/helpdesk/ticket_desc_table.html |  4 +++-
 5 files changed, 37 insertions(+), 24 deletions(-)

diff --git a/helpdesk/forms.py b/helpdesk/forms.py
index eb77c2e6..3124f281 100644
--- a/helpdesk/forms.py
+++ b/helpdesk/forms.py
@@ -239,17 +239,18 @@ class AbstractTicketForm(CustomFieldMixin, forms.Form):
         label=_('Due on'),
     )
 
-    attachment = forms.FileField(
-        widget=forms.FileInput(attrs={'class': 'form-control-file'}),
-        required=False,
-        label=_('Attach File'),
-        help_text=_('You can attach a file to this ticket. '
-                    'Only file types such as plain text (.txt), '
-                    'a document (.pdf, .docx, or .odt), '
-                    'or screenshot (.png or .jpg) may be uploaded.'),
-        validators=[validate_file_extension]
-    )
-
+    if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS:
+        attachment = forms.FileField(
+            widget=forms.FileInput(attrs={'class': 'form-control-file'}),
+            required=False,
+            label=_('Attach File'),
+            help_text=_('You can attach a file to this ticket. '
+                        'Only file types such as plain text (.txt), '
+                        'a document (.pdf, .docx, or .odt), '
+                        'or screenshot (.png or .jpg) may be uploaded.'),
+            validators=[validate_file_extension]
+        )
+        
     class Media:
         js = ('helpdesk/js/init_due_date.js',
               'helpdesk/js/init_datetime_classes.js')
diff --git a/helpdesk/settings.py b/helpdesk/settings.py
index 2235e7d5..6d83ed63 100644
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@@ -56,6 +56,11 @@ HELPDESK_STAFF_VIEW_PROTECTOR = getattr(settings,
                                          'HELPDESK_STAFF_VIEW_PROTECTOR',
                                          lambda _: None)
 
+# Enable ticket and Email attachments
+HELPDESK_ENABLE_ATTACHMENTS = getattr(settings,
+                                      'HELPDESK_ENABLE_ATTACHMENTS',
+                                      False)
+
 # Enable the Dependencies field on ticket view
 HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET = getattr(settings,
                                                  'HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET',
diff --git a/helpdesk/templates/helpdesk/public_view_ticket.html b/helpdesk/templates/helpdesk/public_view_ticket.html
index 77de5af1..ee36e304 100644
--- a/helpdesk/templates/helpdesk/public_view_ticket.html
+++ b/helpdesk/templates/helpdesk/public_view_ticket.html
@@ -122,7 +122,8 @@
         <input type='hidden' name='public' value='1'>
 
     </dl>
-
+        
+{% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
 <p id='ShowFileUploadPara'><button class="btn btn-warning btn-sm"
     id='ShowFileUpload' onclick="$('#FileUpload')[0].style.display='block';return false;" >{% trans "Attach File(s) &raquo;" %}</button></p>
 
@@ -140,7 +141,7 @@
     </dl>
 
 </div>
-
+{% endif %}
 </fieldset>
 
 <button class="btn btn-primary btn-lg" style="margin-bottom:10px" type='submit'>{% trans "Update This Ticket" %}</button>
diff --git a/helpdesk/templates/helpdesk/ticket.html b/helpdesk/templates/helpdesk/ticket.html
index b61743f7..652988e0 100644
--- a/helpdesk/templates/helpdesk/ticket.html
+++ b/helpdesk/templates/helpdesk/ticket.html
@@ -54,14 +54,16 @@
                                     <li>{% blocktrans with change.field as field and change.old_value as old_value and change.new_value as new_value %}Changed {{ field }} from {{ old_value }} to {{ new_value }}.{% endblocktrans %}</li>
                                     {% if forloop.last %}</ul></div>{% endif %}
                                 {% endfor %}
-                                {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
+                                {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+                                    {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}{% trans "Attachments" %}:<div class='attachments'><ul>{% endif %}
                                     <li><a href='{{ attachment.file.url }}'>{{ attachment.filename }}</a> ({{ attachment.mime_type }}, {{ attachment.size|filesizeformat }})
-                                    {% if followup.user and request.user == followup.user %}
+                                        {% if followup.user and request.user == followup.user %}
                                     <a href='{% url 'helpdesk:attachment_del' ticket.id attachment.id %}'><button class="btn btn-danger btn-sm"><i class="fas fa-trash"></i></button></a>
-                                    {% endif %}
+                                        {% endif %}
                                     </li>
-                                    {% if forloop.last %}</ul></div>{% endif %}
-                                {% endfor %}
+                                        {% if forloop.last %}</ul></div>{% endif %}
+                                    {% endfor %}
+                                {% endif %}
                             </p>
                             <!--- ugly long test to suppress the following if it will be empty, to save vertical space -->
                             {% with possible=helpdesk_settings.HELPDESK_SHOW_EDIT_BUTTON_FOLLOW_UP %}
@@ -105,10 +107,10 @@
 
                 <dt><label for='commentBox'>{% trans "Comment / Resolution" %}</label></dt>
                 <dd><textarea rows='8' cols='70' name='comment' id='commentBox'></textarea></dd>
-		{% url "helpdesk:help_context" as context_help_url %}
-		{% blocktrans %}
-		<dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
-		{% endblocktrans %}
+                {% url "helpdesk:help_context" as context_help_url %}
+                {% blocktrans %}
+                <dd class='form_help_text'>You can insert ticket and queue details in your message. For more information, see the <a href='{{ context_help_url }}'>context help page</a>.</dd>
+                {% endblocktrans %}
 
                 <dt><label>{% trans "New Status" %}</label></dt>
                 {% if not ticket.can_be_resolved %}<dd>{% trans "This ticket cannot be resolved or closed until the tickets it depends on are resolved." %}</dd>{% endif %}
@@ -197,7 +199,9 @@
             </div>
         {% endif %}
 
+        {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
         <p id='ShowFileUploadPara'><button type="button" class="btn btn-warning btn-sm" id='ShowFileUpload'>{% trans "Attach File(s) &raquo;" %}</button></p>
+        {% endif %}
 
         <div id='FileUpload' style='display: none;'>
 
@@ -257,7 +261,7 @@
 {% block helpdesk_js %}
 <script type='text/javascript' language='javascript'>
 $( function() {
-	$( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
+        $( "#id_due_date" ).datepicker({dateFormat: 'yy-mm-dd'});
 } );
 </script>
 
diff --git a/helpdesk/templates/helpdesk/ticket_desc_table.html b/helpdesk/templates/helpdesk/ticket_desc_table.html
index 8cf00829..21a46e5a 100644
--- a/helpdesk/templates/helpdesk/ticket_desc_table.html
+++ b/helpdesk/templates/helpdesk/ticket_desc_table.html
@@ -149,7 +149,8 @@
                             <th class="table-active">{% trans "Knowlegebase item" %}</th>
                             <td> <a href ="{{ticket.kbitem.query_url}}"> {{ticket.kbitem}} </a> </td>
                         </tr>
-                    {% endif %}
+		    {% endif %}
+		    {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
                     <tr>
                         <th class="table-active">{% trans "Attachments" %}</th>
                         <td colspan="3">
@@ -171,6 +172,7 @@
                             </ul>
                         </td>
                     </tr>
+                    {% endif %}
                     <tr>
                         <th class="table-active">{% trans "Checklists" %}</th>
                         <td colspan="3">

From cc1b125d53ac9653f25c072eb77ab21349e1cc3c Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Thu, 6 Jun 2024 15:58:27 +0200
Subject: [PATCH 02/10] Disable email attachment processing and email saving if
 attachments are not enabled.

Caution: untested
---
 helpdesk/email.py | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/helpdesk/email.py b/helpdesk/email.py
index f0d3a70f..de9aebdc 100644
--- a/helpdesk/email.py
+++ b/helpdesk/email.py
@@ -595,16 +595,17 @@ def create_object_from_email_message(message, ticket_id, payload, files, logger)
 
     logger.info("[%s-%s] %s" % (ticket.queue.slug, ticket.id, ticket.title,))
 
-    try:
-        attached = process_attachments(f, files)
-    except ValidationError as e:
-        logger.error(str(e))
-    else:
-        for att_file in attached:
-            logger.info(
-                "Attachment '%s' (with size %s) successfully added to ticket from email.",
-                att_file[0], att_file[1].size
-            )
+    if helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
+        try:
+            attached = process_attachments(f, files)
+        except ValidationError as e:
+            logger.error(str(e))
+        else:
+            for att_file in attached:
+                logger.info(
+                    "Attachment '%s' (with size %s) successfully added to ticket from email.",
+                    att_file[0], att_file[1].size
+                )
 
     context = safe_template_context(ticket)
 
@@ -984,7 +985,7 @@ def extract_email_metadata(message: str,
     filtered_body, full_body = extract_email_message_content(message_obj, files, include_chained_msgs)
     # If the base part is not a multipart then it will have already been processed as the vbody content so
     # no need to process attachments
-    if "multipart" == message_obj.get_content_maintype():
+    if "multipart" == message_obj.get_content_maintype() and helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
         # Find and attach all other parts or part contents as attachments
         counter, content_parts_excluded = extract_attachments(message_obj, files, logger)
         if not content_parts_excluded:
@@ -994,7 +995,8 @@ def extract_email_metadata(message: str,
                  Verify that there were no text/* parts containing message content.")
         if logger.isEnabledFor(logging.DEBUG):
             logger.debug("Email parsed and %s attachments were found and attached.", counter)
-    add_file_if_always_save_incoming_email_message(files, message)
+    if helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
+        add_file_if_always_save_incoming_email_message(files, message)
 
     smtp_priority = message_obj.get('priority', '')
     smtp_importance = message_obj.get('importance', '')

From 2d5c350f00bcf54684c2fdc5da9215f074d5cea4 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Thu, 6 Jun 2024 16:42:13 +0200
Subject: [PATCH 03/10] Add documentation for the HELPDESK_ENABLE_ATTACHMENTS
 setting

---
 docs/settings.rst | 31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 6299a9b7..ea1529b7 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -39,8 +39,8 @@ If you want to override the default settings for your users, create ``HELPDESK_D
     }
 
 
-Access controll & Security
----------------
+Access control & Security
+-------------------------
 These settings can be used to change who can access the helpdesk.
 
 - **HELPDESK_PUBLIC_VIEW_PROTECTOR** This is a function that takes a request and can either return `None` granting access to to a public view or a redirect denying access.
@@ -51,16 +51,24 @@ These settings can be used to change who can access the helpdesk.
 
   **Default:** ``HELPDESK_REDIRECT_TO_LOGIN_BY_DEFAULT = False``
 
-- **HELPDESK_VALID_EXTENSIONS** Valid extensions for file types that can be attached to tickets. Note: This used to be calle **VALID_EXTENSIONS** which is now deprecated.
-
-  **Default:** ``HELPDESK_VALID_EXTENSIONS = ['.txt', '.asc', '.htm', '.html', '.pdf', '.doc', '.docx', '.odt', '.jpg', '.png', '.eml']
-
-- **HELPDESK_VALIDATE_ATTACHMENT_TYPES** If you'd like to turn of filtering of helpdesk extension types you can set this to False.
-
 - **HELPDESK_ANON_ACCESS_RAISES_404** If True, redirects user to a 404 page when attempting to reach ticket pages while not logged in, rather than redirecting to a login screen.
 
   **Default:** ``HELPDESK_ANON_ACCESS_RAISES_404 = False``
 
+Settings related to attachments:
+
+- **HELPDESK_ENABLE_ATTACHMENTS** If set to ``True``, files can be
+  attached to tickets and followups, and emails are searched for
+  attachments which are then attached to the ticket.  Also enables the
+  ``HELPDESK_ALWAYS_SAVE_INCOMING_EMAIL_MESSAGE`` setting.
+  
+- **HELPDESK_VALID_EXTENSIONS** Valid extensions for file types that can be attached to tickets. Note: This used to be called **VALID_EXTENSIONS** which is now deprecated.
+
+  **Default:** ``HELPDESK_VALID_EXTENSIONS = ['.txt', '.asc', '.htm', '.html', '.pdf', '.doc', '.docx', '.odt', '.jpg', '.png', '.eml']``
+
+- **HELPDESK_VALIDATE_ATTACHMENT_TYPES** If you'd like to turn of filtering of helpdesk extension types you can set this to False.
+
+  
 Generic Options
 ---------------
 These changes are visible throughout django-helpdesk
@@ -422,4 +430,9 @@ The following settings were defined in previous versions and are no longer suppo
 
 - **HELPDESK_FULL_FIRST_MESSAGE_FROM_EMAIL** Do not ignore fowarded and replied text from the email messages which create a new ticket; useful for cases when customer forwards some email (error from service or something) and wants support to see that
 
-- **HELPDESK_ALWAYS_SAVE_INCOMING_EMAIL_MESSAGE** Any incoming .eml message is saved and available, helps when customer spent some time doing fancy markup which has been corrupted during the email-to-ticket-comment translate process
+- **HELPDESK_ALWAYS_SAVE_INCOMING_EMAIL_MESSAGE** Any incoming .eml
+  message is saved and available, helps when customer spent some time
+  doing fancy markup which has been corrupted during the
+  email-to-ticket-comment translate process.
+
+  Requires ``HELPDESK_ENABLE_ATTACHMENTS`` to be set to `True`

From d3553d9335c6b50a1120ba3760b6965d1d9693d7 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Thu, 6 Jun 2024 16:55:53 +0200
Subject: [PATCH 04/10] Add warning about new default to
 HELPDESK_ENABLE_ATTACHEMENTS

---
 docs/settings.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/settings.rst b/docs/settings.rst
index ea1529b7..004a06bf 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -61,6 +61,12 @@ Settings related to attachments:
   attached to tickets and followups, and emails are searched for
   attachments which are then attached to the ticket.  Also enables the
   ``HELPDESK_ALWAYS_SAVE_INCOMING_EMAIL_MESSAGE`` setting.
+
+  **Caution**: Until version 1.2.0 attachments were enabled by
+  default. Since uploaded files by default are published without access
+  control this can lead to unintended exposure of sensitive
+  data. The default is now to disable attachments by default. Only
+  enable attachments if you have secured access to them.
   
 - **HELPDESK_VALID_EXTENSIONS** Valid extensions for file types that can be attached to tickets. Note: This used to be called **VALID_EXTENSIONS** which is now deprecated.
 

From a2f944b475e983400da4b81096df1e30e74b6f18 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Fri, 7 Jun 2024 17:58:41 +0200
Subject: [PATCH 05/10] Enable attachments by default

In order to not break existing django-helpdesk installations
upon upgrade.
---
 docs/settings.rst    | 10 +++++-----
 helpdesk/settings.py |  6 +++++-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 004a06bf..3d0131b3 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -62,11 +62,11 @@ Settings related to attachments:
   attachments which are then attached to the ticket.  Also enables the
   ``HELPDESK_ALWAYS_SAVE_INCOMING_EMAIL_MESSAGE`` setting.
 
-  **Caution**: Until version 1.2.0 attachments were enabled by
-  default. Since uploaded files by default are published without access
-  control this can lead to unintended exposure of sensitive
-  data. The default is now to disable attachments by default. Only
-  enable attachments if you have secured access to them.
+  **Caution**: Set this to False, unless you have secured access to
+   the uploaded files. Otherwise anyone on the Internet will be able
+   to download your ticket attachments.
+
+   Attachments are enabled by default for backwards compatibility.
   
 - **HELPDESK_VALID_EXTENSIONS** Valid extensions for file types that can be attached to tickets. Note: This used to be called **VALID_EXTENSIONS** which is now deprecated.
 
diff --git a/helpdesk/settings.py b/helpdesk/settings.py
index 6d83ed63..d6d1acbb 100644
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@@ -57,9 +57,13 @@ HELPDESK_STAFF_VIEW_PROTECTOR = getattr(settings,
                                          lambda _: None)
 
 # Enable ticket and Email attachments
+#
+# Caution! Set this to False, unless you have secured access to
+#   the uploaded files. Otherwise anyone on the Internet will be
+#   able to download your ticket attachments.
 HELPDESK_ENABLE_ATTACHMENTS = getattr(settings,
                                       'HELPDESK_ENABLE_ATTACHMENTS',
-                                      False)
+                                      True)
 
 # Enable the Dependencies field on ticket view
 HELPDESK_ENABLE_DEPENDENCIES_ON_TICKET = getattr(settings,

From 3dcbdad638be1066cff269bb0f2fb83dbee439ca Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Fri, 7 Jun 2024 18:04:05 +0200
Subject: [PATCH 06/10] Fix: helpdesk settings are imported as settings

---
 helpdesk/email.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/helpdesk/email.py b/helpdesk/email.py
index de9aebdc..3bb9463c 100644
--- a/helpdesk/email.py
+++ b/helpdesk/email.py
@@ -595,7 +595,7 @@ def create_object_from_email_message(message, ticket_id, payload, files, logger)
 
     logger.info("[%s-%s] %s" % (ticket.queue.slug, ticket.id, ticket.title,))
 
-    if helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
+    if settings.HELPDESK_ENABLE_ATTACHMENTS:
         try:
             attached = process_attachments(f, files)
         except ValidationError as e:
@@ -985,7 +985,7 @@ def extract_email_metadata(message: str,
     filtered_body, full_body = extract_email_message_content(message_obj, files, include_chained_msgs)
     # If the base part is not a multipart then it will have already been processed as the vbody content so
     # no need to process attachments
-    if "multipart" == message_obj.get_content_maintype() and helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
+    if "multipart" == message_obj.get_content_maintype() and settings.HELPDESK_ENABLE_ATTACHMENTS:
         # Find and attach all other parts or part contents as attachments
         counter, content_parts_excluded = extract_attachments(message_obj, files, logger)
         if not content_parts_excluded:
@@ -995,7 +995,7 @@ def extract_email_metadata(message: str,
                  Verify that there were no text/* parts containing message content.")
         if logger.isEnabledFor(logging.DEBUG):
             logger.debug("Email parsed and %s attachments were found and attached.", counter)
-    if helpdesk.settings.HELPDESK_ENABLE_ATTACHMENTS:
+    if settings.HELPDESK_ENABLE_ATTACHMENTS:
         add_file_if_always_save_incoming_email_message(files, message)
 
     smtp_priority = message_obj.get('priority', '')

From 78cf89ca9b707dbf9826b3bbd3a2ca1aa624f07d Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Mon, 10 Jun 2024 11:24:00 +0200
Subject: [PATCH 07/10] Exclude related JavaScript function from staff Ticket
 view when attachments are not enabled

---
 helpdesk/templates/helpdesk/ticket.html | 117 ++++++++++++------------
 1 file changed, 60 insertions(+), 57 deletions(-)

diff --git a/helpdesk/templates/helpdesk/ticket.html b/helpdesk/templates/helpdesk/ticket.html
index 652988e0..ce7d61e4 100644
--- a/helpdesk/templates/helpdesk/ticket.html
+++ b/helpdesk/templates/helpdesk/ticket.html
@@ -266,71 +266,74 @@ $( function() {
 </script>
 
 <script type='text/javascript' language='javascript'>
-$(document).ready(function() {
-    $("#ShowFurtherEditOptions").click(function() {
-        $("#FurtherEditOptions").toggle();
-    });
+  $(document).ready(function() {
+      $("#ShowFurtherEditOptions").click(function() {
+          $("#FurtherEditOptions").toggle();
+      });
 
-    $("#ShowChecklistEditOptions").click(function() {
-        $("#checklistEdit").toggle();
-    });
+      $("#ShowChecklistEditOptions").click(function() {
+          $("#checklistEdit").toggle();
+      });
 
-    $("#ShowFileUpload").click(function() {
-        $("#FileUpload").fadeIn();
-        $("#ShowFileUploadPara").hide();
-    });
+      $('#id_preset').change(function() {
+          preset = $('#id_preset').val();
+          if (preset != '') {
+              $.get("{% url 'helpdesk:raw' 'preset' %}?id=" + preset, function(data) {
+                  $("#commentBox").val(data)
+              });
+          }
+      });
 
-    $('#id_preset').change(function() {
-        preset = $('#id_preset').val();
-        if (preset != '') {
-           $.get("{% url 'helpdesk:raw' 'preset' %}?id=" + preset, function(data) {
-                $("#commentBox").val(data)
-            });
-        }
-    });
+      // Preset name of checklist when a template is selected
+      $('#id_checklist_template').on('change', function() {
+          const nameField = $('#id_name')
+          const selectedTemplate = $(this).children(':selected')
+          if (nameField.val() === '' && selectedTemplate.val()) {
+              nameField.val(selectedTemplate.text())
+          }
+      })
 
-    // Preset name of checklist when a template is selected
-    $('#id_checklist_template').on('change', function() {
-        const nameField = $('#id_name')
-        const selectedTemplate = $(this).children(':selected')
-        if (nameField.val() === '' && selectedTemplate.val()) {
-            nameField.val(selectedTemplate.text())
-        }
-    })
+      $('.disabledTask').on('click', () => {
+          alert('{% trans 'If you want to update state of checklist tasks, please do a Follow-Up response and click on "Update checklists"' %}')
+      })
 
-    $('.disabledTask').on('click', () => {
-        alert('{% trans 'If you want to update state of checklist tasks, please do a Follow-Up response and click on "Update checklists"' %}')
-    })
+      $("[data-toggle=tooltip]").tooltip();
 
-    $("[data-toggle=tooltip]").tooltip();
+      {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+      $("#ShowFileUpload").click(function() {
+          $("#FileUpload").fadeIn();
+          $("#ShowFileUploadPara").hide();
+      });
 
-    // lists for file input change events, then updates the associated text label
-    // with the file name selected
-    $('.add_file_fields_wrap').on('fileselect', ':file', function(event, numFiles, label, browseButtonNum) {
-        $("#selectedfilename"+browseButtonNum).html(label);
-    });
+      // lists for file input change events, then updates the associated text label
+      // with the file name selected
+      $('.add_file_fields_wrap').on('fileselect', ':file', function(event, numFiles, label, browseButtonNum) {
+          $("#selectedfilename"+browseButtonNum).html(label);
+      });
 
-    var x = 0;
-    var wrapper         = $(".add_file_fields_wrap"); //Fields wrapper
-    var add_button      = $(".add_file_field_button"); //Add button ID
+      var x = 0;
+      var wrapper         = $(".add_file_fields_wrap"); //Fields wrapper
+      var add_button      = $(".add_file_field_button"); //Add button ID
 
-    $(add_button).click(function(e){ //on add input button click
-        x++;
-        e.preventDefault();
-        $(wrapper).append("<div><label class='btn btn-primary btn-sm btn-file'>Browse... <input type='file' name='attachment' id='file" + x + "' multiple style='display: none;'/></label><span>&nbsp;</span><span id='selectedfilename" + x + "'>{% trans 'No files selected.' %}</span></div>"); //add input box
-    });
+      $(add_button).click(function(e){ //on add input button click
+          x++;
+          e.preventDefault();
+          $(wrapper).append("<div><label class='btn btn-primary btn-sm btn-file'>Browse... <input type='file' name='attachment' id='file" + x + "' multiple style='display: none;'/></label><span>&nbsp;</span><span id='selectedfilename" + x + "'>{% trans 'No files selected.' %}</span></div>"); //add input box
+      });
+      {% endif %}
+  });
 
-});
-
-// this function listens for changes on any file input, and
-// emits the appropriate event to update the input's text.
-// Needed to have properly styled file input buttons! (this really shouldn't be this hard...)
-$(document).on('change', ':file', function() {
-    var input = $(this),
-        inputWidgetNum = $(this).attr('id').split("file")[1],
-        numFiles = input.get(0).files ? input.get(0).files.length : 1,
-        label = input.val().replace(/\\/g, '/').replace(/.*\//, '');
-    input.trigger('fileselect', [numFiles, label, inputWidgetNum]);
-});
-</script>
+  {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+  // this function listens for changes on any file input, and
+  // emits the appropriate event to update the input's text.
+  // Needed to have properly styled file input buttons! (this really shouldn't be this hard...)
+  $(document).on('change', ':file', function() {
+      var input = $(this),
+          inputWidgetNum = $(this).attr('id').split("file")[1],
+          numFiles = input.get(0).files ? input.get(0).files.length : 1,
+          label = input.val().replace(/\\/g, '/').replace(/.*\//, '');
+      input.trigger('fileselect', [numFiles, label, inputWidgetNum]);
+  });
+  {% endif %}
+  </script>
 {% endblock %}

From 20cd08fe28afa47967a75da0ecf51246e1e177e5 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Mon, 10 Jun 2024 12:47:13 +0200
Subject: [PATCH 08/10] Do not show attachments in public tickets if not
 enabled, fix attachment upload if enabled

Attachments in followups were still shown (if they existed) even if
HELPDESK_ENABLE_ATTACHMENT was set to False.

If attachments were enabled it was not possible to upload them because
the JavaScript code for uploading attachments to public was not loaded
in the template.
---
 helpdesk/templates/helpdesk/public_base.html  |  1 +
 .../helpdesk/public_view_ticket.html          | 66 +++++++++++++++----
 2 files changed, 56 insertions(+), 11 deletions(-)

diff --git a/helpdesk/templates/helpdesk/public_base.html b/helpdesk/templates/helpdesk/public_base.html
index ca0b74e1..22f256dc 100644
--- a/helpdesk/templates/helpdesk/public_base.html
+++ b/helpdesk/templates/helpdesk/public_base.html
@@ -9,6 +9,7 @@
 
     {% include 'helpdesk/base-head.html' %}
     {% block helpdesk_head %}{% endblock %}
+    {% include 'helpdesk/base_js.html' %}
 
 </head>
 
diff --git a/helpdesk/templates/helpdesk/public_view_ticket.html b/helpdesk/templates/helpdesk/public_view_ticket.html
index ee36e304..4c5a736e 100644
--- a/helpdesk/templates/helpdesk/public_view_ticket.html
+++ b/helpdesk/templates/helpdesk/public_view_ticket.html
@@ -75,16 +75,19 @@
 {% for followup in ticket.followup_set.public_followups %}
 <div class='followup well card'>
     <p><b>{{ followup.title }} <span class='byline text-info'>{% if followup.user %}by {{ followup.user }}{% endif %} <span title='{{ followup.date|date:"DATETIME_FORMAT" }}'>{{ followup.date|naturaltime }}</span></span></b></p>
-{{ followup.comment|force_escape|urlizetrunc:50|num_to_link|linebreaksbr }}
-{% if followup.ticketchange_set.all %}<div class='changes'><ul>
-{% for change in followup.ticketchange_set.all %}
-<li>{% blocktrans with change.field as field and change.old_value as old_value and change.new_value as new_value %}Changed {{ field }} from {{ old_value }} to {{ new_value }}.{% endblocktrans %}</li>
-{% endfor %}
-</ul></div>{% endif %}
-{% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}<div class='attachments'><ul>{% endif %}
-<li><a href='{{ attachment.file.url }}'>{{ attachment.filename }}</a> ({{ attachment.mime_type }}, {{ attachment.size|filesizeformat }})</li>
-{% if forloop.last %}</ul></div>{% endif %}
-{% endfor %}
+    {{ followup.comment|force_escape|urlizetrunc:50|num_to_link|linebreaksbr }}
+    {% if followup.ticketchange_set.all %}<div class='changes'><ul>
+	    {% for change in followup.ticketchange_set.all %}
+	    <li>{% blocktrans with change.field as field and change.old_value as old_value and change.new_value as new_value %}Changed {{ field }} from {{ old_value }} to {{ new_value }}.{% endblocktrans %}</li>
+	    {% endfor %}
+    </ul></div>{% endif %}
+
+    {% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+    {% for attachment in followup.followupattachment_set.all %}{% if forloop.first %}<div class='attachments'><ul>{% endif %}
+	    <li><a href='{{ attachment.file.url }}'>{{ attachment.filename }}</a> ({{ attachment.mime_type }}, {{ attachment.size|filesizeformat }})</li>
+	    {% if forloop.last %}</ul></div>{% endif %}
+    {% endfor %}
+    {% endif %}
 </div>
 {% endfor %}
 {% endif %}
@@ -133,6 +136,7 @@
         <dt><label for='id_file'>{% trans "Attach a File" %}</label></dt>
         <dd>
             <div class="add_file_fields_wrap">
+                <button class="add_file_field_button btn btn-success btn-xs">{% trans "Add Another File" %}</button>
                 <div><label class='btn btn-primary btn-sm btn-file'>
                         Browse... <input type="file" name='attachment' id='file0' style='display: none;'/>
                 </label><span>&nbsp;</span><span id='selectedfilename0'>{% trans 'No files selected.' %}</span></div>
@@ -146,7 +150,47 @@
 
 <button class="btn btn-primary btn-lg" style="margin-bottom:10px" type='submit'>{% trans "Update This Ticket" %}</button>
 
-{% csrf_token %}</form>
+{% csrf_token %}
+</form>
 
+{% if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS %}
+<script type='text/javascript' language='javascript'>
+  $(document).ready(function() {
+
+      $("#ShowFileUpload").click(function() {
+          $("#FileUpload").fadeIn();
+          $("#ShowFileUploadPara").hide();
+      });
+
+      // lists for file input change events, then updates the associated text label
+      // with the file name selected
+      $('.add_file_fields_wrap').on('fileselect', ':file', function(event, numFiles, label, browseButtonNum) {
+          $("#selectedfilename"+browseButtonNum).html(label);
+      });
+
+      var x = 0;
+      var wrapper         = $(".add_file_fields_wrap"); //Fields wrapper
+      var add_button      = $(".add_file_field_button"); //Add button ID
+
+      $(add_button).click(function(e){ //on add input button click
+          x++;
+          e.preventDefault();
+          $(wrapper).append("<div><label class='btn btn-primary btn-sm btn-file'>Browse... <input type='file' name='attachment' id='file" + x + "' multiple style='display: none;'/></label><span>&nbsp;</span><span id='selectedfilename" + x + "'>{% trans 'No files selected.' %}</span></div>"); //add input box
+      });
+  });
+
+  // this function listens for changes on any file input, and
+  // emits the appropriate event to update the input's text.
+  // Needed to have properly styled file input buttons! (this really shouldn't be this hard...)
+  $(document).on('change', ':file', function() {
+      var input = $(this),
+          inputWidgetNum = $(this).attr('id').split("file")[1],
+          numFiles = input.get(0).files ? input.get(0).files.length : 1,
+          label = input.val().replace(/\\/g, '/').replace(/.*\//, '');
+      input.trigger('fileselect', [numFiles, label, inputWidgetNum]);
+  });
+
+</script>
+{% endif %}
 
 {% endblock %}

From 80ae20d1ac79ddb5d061271859b510b3d1a4ea41 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Wed, 12 Jun 2024 14:58:00 +0200
Subject: [PATCH 09/10] Fix: Saving tickets with attachments disabled raises
 error

Exclude code where followups add their attachments to a new ticket.
Make helper function _attach_files_to_follow_up() more robust.
---
 helpdesk/forms.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/helpdesk/forms.py b/helpdesk/forms.py
index 3124f281..60d363cc 100644
--- a/helpdesk/forms.py
+++ b/helpdesk/forms.py
@@ -327,7 +327,7 @@ class AbstractTicketForm(CustomFieldMixin, forms.Form):
         return followup
 
     def _attach_files_to_follow_up(self, followup):
-        files = self.cleaned_data['attachment']
+        files = self.cleaned_data.get('attachment')
         if files:
             files = process_attachments(followup, [files])
         return files
@@ -419,7 +419,10 @@ class TicketForm(AbstractTicketForm):
         followup = self._create_follow_up(ticket, title=title, user=user)
         followup.save()
 
-        files = self._attach_files_to_follow_up(followup)
+        if settings.HELPDESK_ENABLE_ATTACHMENTS:
+            files = self._attach_files_to_follow_up(followup)
+        else:
+            files = None
 
         # emit signal when the TicketForm.save is done
         new_ticket_done.send(sender="TicketForm", ticket=ticket)

From 9228c7fbd01d04ca0a08ca5ffe21094362779f36 Mon Sep 17 00:00:00 2001
From: Georg Lehner <jorge@magma-soft.at>
Date: Wed, 12 Jun 2024 15:04:23 +0200
Subject: [PATCH 10/10] Fix Fix: correct variable name and test

---
 helpdesk/forms.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpdesk/forms.py b/helpdesk/forms.py
index 60d363cc..5559b32f 100644
--- a/helpdesk/forms.py
+++ b/helpdesk/forms.py
@@ -419,7 +419,7 @@ class TicketForm(AbstractTicketForm):
         followup = self._create_follow_up(ticket, title=title, user=user)
         followup.save()
 
-        if settings.HELPDESK_ENABLE_ATTACHMENTS:
+        if helpdesk_settings.HELPDESK_ENABLE_ATTACHMENTS:
             files = self._attach_files_to_follow_up(followup)
         else:
             files = None