add: S3_BUCKET_ACLS_DIABLE environment variable

apps/app/src/server/models/config.ts

@@ -110,7 +110,6 @@ export const defaultCrowiConfigs: { [key: string]: any } = {
   'aws:s3AccessKeyId'     : undefined,
   'aws:s3SecretAccessKey' : undefined,
   'aws:s3CustomEndpoint'  : undefined,
-  'aws:s3PutObjectAcl'    : 'public-read',
 
   'mail:from'         : undefined,
   'mail:smtpHost'     : undefined,

apps/app/src/server/service/config-loader.ts

@@ -471,6 +471,12 @@ const ENV_VAR_NAME_TO_CONFIG_INFO = {
     type:    ValueType.NUMBER,
     default: 120,
   },
+  S3_BUCKET_ACLS_DISABLE: {
+    ns:      'crowi',
+    key:     'aws:s3BucketAclsDisable',
+    type:    ValueType.BOOLEAN,
+    default: false,
+  },
   GCS_API_KEY_JSON_PATH: {
     ns:      'crowi',
     key:     'gcs:apiKeyJsonPath',

apps/app/src/server/service/file-uploader/aws.ts

@@ -48,14 +48,11 @@ const isFileExists = async(s3: S3Client, params: HeadObjectCommandInput) => {
   return true;
 };
 
-const getConfigS3PutObjectAcl = (): ObjectCannedACL => {
-  switch (configManager.getConfig('crowi', 's3PutObjectAcl')){
-    case 'private':
+const getS3PutObjectCannedAcl = (): ObjectCannedACL => {
+  // NOTE: When ACLs are disabled in an S3 bucket, use the Canned ACL "private"
+  if (configManager.getConfig('crowi', 'aws:s3BucketAclsDisable')){
       return ObjectCannedACL.private;
-    case 'public-read':
-      return ObjectCannedACL.public_read;
   }
-  // default
   return ObjectCannedACL.public_read;
 };
 
@@ -223,7 +220,8 @@ module.exports = (crowi) => {
         configManager.getConfig('crowi', 'aws:s3Region') != null
           || configManager.getConfig('crowi', 'aws:s3CustomEndpoint') != null
       )
-      && configManager.getConfig('crowi', 'aws:s3Bucket') != null;
+      && configManager.getConfig('crowi', 'aws:s3Bucket') != null
+      && configManager.getConfig('crowi', 'aws:s3BucketAclsDisable') != null;
   };
 
   (lib as any).deleteFile = async function(attachment) {
@@ -285,7 +283,7 @@ module.exports = (crowi) => {
       Bucket: getS3Bucket(),
       Key: filePath,
       Body: fileStream,
-      ACL: getConfigS3PutObjectAcl(),
+      ACL: getS3PutObjectCannedAcl(),
       // put type and the file name for reference information when uploading
       ContentType: contentHeaders.contentType?.value.toString(),
       ContentDisposition: contentHeaders.contentDisposition?.value.toString(),
@@ -300,7 +298,7 @@ module.exports = (crowi) => {
       ContentType: contentType,
       Key: filePath,
       Body: data,
-      ACL: getConfigS3PutObjectAcl(),
+      ACL: getS3PutObjectCannedAcl(),
     }));
   };