github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 04:01:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: allow S3 ACLs to be disabled (#21769)

Browse Source 
AWS recommends running buckets without ACLs, and to use resource policies to manage access control instead.
This is not a bad idea, because S3 ACLs are whack, and while resource policies are also whack, they're a more constrained form of whack.
Further, some compliance regimes get antsy if you don't go with the vendor's recommended settings, and arguing that you need to enable ACLs on a bucket just to store images in there is more hassle than it's worth.
The new site setting (s3_use_acls) cannot be disabled when secure
uploads is enabled -- the latter relies on private ACLs for security
at this point in time. We may want to reexamine this in future.
This commit is contained in:
Matt Palmer
2023-06-06 15:47:40 +10:00
committed by GitHub
parent d2ef490e9a
commit a98d2a8086
11 changed files with 103 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/site_settings/validations.rb
View File

@ -168,11 +168,15 @@ module SiteSettings::Validations
end
def validate_secure_uploads(new_val)
if new_val == "t" && !SiteSetting.Upload.enable_s3_uploads
if new_val == "t" && (!SiteSetting.Upload.enable_s3_uploads || !SiteSetting.s3_use_acls)
validate_error :secure_uploads_requirements
end
end
def validate_s3_use_acls(new_val)
validate_error :s3_use_acls_requirements if new_val == "f" && SiteSetting.secure_uploads
end
def validate_enable_page_publishing(new_val)
validate_error :page_publishing_requirements if new_val == "t" && SiteSetting.secure_uploads?
end