Merge pull request #8805 from weseek/support/modify-env-var-for-s3-object-acl

support: Modify env var for S3 Object-ACL

apps/app/src/server/service/config-loader.ts

@@ -471,11 +471,11 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     type:    ValueType.NUMBER,
     default: 120,
   },
-  S3_BUCKET_ACLS_DISABLE: {
+  S3_OBJECT_ACL: {
     ns:      'crowi',
-    key:     'aws:s3BucketAclsDisable',
-    type:    ValueType.BOOLEAN,
-    default: false,
+    key:     'aws:s3ObjectCannedACL',
+    type:    ValueType.STRING,
+    default: 'public-read',
   },
   GCS_API_KEY_JSON_PATH: {
     ns:      'crowi',

apps/app/src/server/service/file-uploader/aws.ts

@@ -48,12 +48,28 @@ const isFileExists = async(s3: S3Client, params: HeadObjectCommandInput) => {
   return true;
 };
 
-const getS3PutObjectCannedAcl = (): ObjectCannedACL => {
-  // NOTE: When ACLs are disabled in an S3 bucket, use the Canned ACL "private"
-  if (configManager.getConfig('crowi', 'aws:s3BucketAclsDisable')){
-      return ObjectCannedACL.private;
+const ObjectCannedACLs = [
+  ObjectCannedACL.authenticated_read,
+  ObjectCannedACL.aws_exec_read,
+  ObjectCannedACL.bucket_owner_full_control,
+  ObjectCannedACL.bucket_owner_read,
+  ObjectCannedACL.private,
+  ObjectCannedACL.public_read,
+  ObjectCannedACL.public_read_write,
+];
+const isValidObjectCannedACL = (acl: string | null): acl is ObjectCannedACL => {
+  return ObjectCannedACLs.includes(acl as ObjectCannedACL);
+};
+/**
+ * @see: https://dev.growi.org/5d091f611fe336003eec5bfdz
+ * @returns ObjectCannedACL
+ */
+const getS3PutObjectCannedAcl = (): ObjectCannedACL | undefined => {
+  const s3ObjectCannedACL = configManager.getConfig('crowi', 'aws:s3ObjectCannedACL');
+  if (isValidObjectCannedACL(s3ObjectCannedACL)) {
+    return s3ObjectCannedACL;
   }
-  return ObjectCannedACL.public_read;
+  return undefined;
 };
 
 const getS3Bucket = (): string | undefined => {