4 лет назад · 6d52184bc6
--- a/src/server/routes/apiv3/security-setting.js
+++ b/src/server/routes/apiv3/security-setting.js
@@ -21,6 +21,7 @@ const validator = {
 
				     ]),
			
 
				     body('hideRestrictedByOwner').if(value => value != null).isBoolean(),
			
 
				     body('hideRestrictedByGroup').if(value => value != null).isBoolean(),
			
 
				+    body('disableLinkSharing').if(value => value != null).isBoolean(),
			
 
				   ],
			
 
				   authenticationSetting: [
			
 
				     body('isEnabled').if(value => value != null).isBoolean(),
			
@@ -363,6 +364,7 @@ module.exports = (crowi) => {
 
				         hideRestrictedByGroup: await crowi.configManager.getConfig('crowi', 'security:list-policy:hideRestrictedByGroup'),
			
 
				         wikiMode: await crowi.configManager.getConfig('crowi', 'security:wikiMode'),
			
 
				         sessionMaxAge: await crowi.configManager.getConfig('crowi', 'security:sessionMaxAge'),
			
 
				+        disableLinkSharing: await crowi.configManager.getConfig('crowi', 'security:disableLinkSharing'),
			
 
				       },
			
 
				       localSetting: {
			
 
				         useOnlyEnvVarsForSomeOptions: await crowi.configManager.getConfig('crowi', 'security:passport-local:useOnlyEnvVarsForSomeOptions'),
			
@@ -572,6 +574,7 @@ module.exports = (crowi) => {
 
				       'security:sessionMaxAge': parseInt(req.body.sessionMaxAge),
			
 
				       'security:restrictGuestMode': req.body.restrictGuestMode,
			
 
				       'security:pageCompleteDeletionAuthority': req.body.pageCompleteDeletionAuthority,
			
 
				+      'security:disableLinkSharing': req.body.disableLinkSharing,
			
 
				       'security:list-policy:hideRestrictedByOwner': req.body.hideRestrictedByOwner,
			
 
				       'security:list-policy:hideRestrictedByGroup': req.body.hideRestrictedByGroup,
			
 
				     };
			
@@ -586,9 +589,11 @@ module.exports = (crowi) => {
 
				         sessionMaxAge: await crowi.configManager.getConfig('crowi', 'security:sessionMaxAge'),
			
 
				         restrictGuestMode: await crowi.configManager.getConfig('crowi', 'security:restrictGuestMode'),
			
 
				         pageCompleteDeletionAuthority: await crowi.configManager.getConfig('crowi', 'security:pageCompleteDeletionAuthority'),
			
 
				+        disableLinkSharing: await crowi.configManager.getConfig('crowi', 'security:disableLinkSharing'),
			
 
				         hideRestrictedByOwner: await crowi.configManager.getConfig('crowi', 'security:list-policy:hideRestrictedByOwner'),
			
 
				         hideRestrictedByGroup: await crowi.configManager.getConfig('crowi', 'security:list-policy:hideRestrictedByGroup'),
			
 
				       };
			
 
				+
			
 
				       return res.apiv3({ securitySettingParams });
			
 
				     }
			
 
				     catch (err) {
			
--- a/src/server/routes/apiv3/share-links.js
+++ b/src/server/routes/apiv3/share-links.js
@@ -30,6 +30,19 @@ module.exports = (crowi) => {
 
				   const ShareLink = crowi.model('ShareLink');
			
 
				   const Page = crowi.model('Page');
			
 
				 
			
 
				+  /**
			
 
				+   * middleware to limit link sharing
			
 
				+   */
			
 
				+  const linkSharingRequired = (req, res, next) => {
			
 
				+    const isLinkSharingDisabled = crowi.configManager.getConfig('crowi', 'security:disableLinkSharing');
			
 
				+    logger.debug(`isLinkSharingDisabled: ${isLinkSharingDisabled}`);
			
 
				+
			
 
				+    if (isLinkSharingDisabled) {
			
 
				+      return res.apiv3Err(new ErrorV3('Link sharing is disabled', 'link-sharing-disabled'));
			
 
				+    }
			
 
				+    next();
			
 
				+  };
			
 
				+
			
 
				   validator.getShareLinks = [
			
 
				     // validate the page id is MongoId
			
 
				     query('relatedPage').isMongoId().withMessage('Page Id is required'),
			
@@ -54,7 +67,7 @@ module.exports = (crowi) => {
 
				    *          200:
			
 
				    *            description: Succeeded to get share links
			
 
				    */
			
 
				-  router.get('/', loginRequired, validator.getShareLinks, apiV3FormValidator, async(req, res) => {
			
 
				+  router.get('/', loginRequired, linkSharingRequired, validator.getShareLinks, apiV3FormValidator, async(req, res) => {
			
 
				     const { relatedPage } = req.query;
			
 
				 
			
 
				     const page = await Page.findByIdAndViewer(relatedPage, req.user);
			
@@ -115,7 +128,7 @@ module.exports = (crowi) => {
 
				    *            description: Succeeded to create one share link
			
 
				    */
			
 
				 
			
 
				-  router.post('/', loginRequired, csrf, validator.shareLinkStatus, apiV3FormValidator, async(req, res) => {
			
 
				+  router.post('/', loginRequired, linkSharingRequired, csrf, validator.shareLinkStatus, apiV3FormValidator, async(req, res) => {
			
 
				     const { relatedPage, expiredAt, description } = req.body;
			
 
				 
			
 
				     const page = await Page.findByIdAndViewer(relatedPage, req.user);
			
--- a/src/server/routes/page.js
+++ b/src/server/routes/page.js
@@ -413,6 +413,9 @@ module.exports = function(crowi, app) {
 
				       // page or sharelink are not found
			
 
				       return res.render('layout-growi/not_found_shared_page');
			
 
				     }
			
 
				+    if (crowi.configManager.getConfig('crowi', 'security:disableLinkSharing')) {
			
 
				+      return res.render('layout-growi/forbidden');
			
 
				+    }
			
 
				 
			
 
				     const renderVars = {};