From 64b900d90ced88aaceddaceaff0940c24c2b7b8a Mon Sep 17 00:00:00 2001
From: mappu <mappu04@gmail.com>
Date: Wed, 17 May 2023 19:08:24 +1200
Subject: [PATCH] server: add readonly mode to block uploads

---
 Server.go             | 1 +
 cmd/contented/main.go | 2 ++
 upload.go             | 5 +++++
 3 files changed, 8 insertions(+)

diff --git a/Server.go b/Server.go
index d8cd393..f9bae8c 100644
--- a/Server.go
+++ b/Server.go
@@ -37,6 +37,7 @@ type ServerOptions struct {
 	BandwidthLimit         int64
 	TrustXForwardedFor     bool
 	EnableHomepage         bool
+	EnableUpload           bool
 	MaxConcurrentThumbs    int
 	ServerPublicProperties
 }
diff --git a/cmd/contented/main.go b/cmd/contented/main.go
index 9fdf4d6..25c5044 100644
--- a/cmd/contented/main.go
+++ b/cmd/contented/main.go
@@ -20,6 +20,7 @@ func main() {
 	maxUploadSpeed := flag.Int("speed", 0, "Maximum upload speed in bytes/sec (set zero for unlimited)")
 	trustXForwardedFor := flag.Bool("trustXForwardedFor", false, "Trust X-Forwarded-For reverse proxy headers")
 	enableHomepage := flag.Bool("enableHomepage", true, "Enable homepage (disable for embedded use only)")
+	enableUpload := flag.Bool("enableUpload", true, "Enable uploads (disable for read-only mode)")
 	diskFilesWorldReadable := flag.Bool("diskFilesWorldReadable", false, "Save files as 0644 instead of 0600")
 	maxConcurrentThumbs := flag.Int("concurrentthumbs", contented.DEFAULT_MAX_CONCURRENT_THUMBS, "Simultaneous thumbnail generation")
 
@@ -31,6 +32,7 @@ func main() {
 		BandwidthLimit:         int64(*maxUploadSpeed),
 		TrustXForwardedFor:     *trustXForwardedFor,
 		EnableHomepage:         *enableHomepage,
+		EnableUpload:           *enableUpload,
 		DiskFilesWorldReadable: *diskFilesWorldReadable,
 		MaxConcurrentThumbs:    *maxConcurrentThumbs,
 		ServerPublicProperties: contented.ServerPublicProperties{
diff --git a/upload.go b/upload.go
index a73d6a1..9bf9279 100644
--- a/upload.go
+++ b/upload.go
@@ -18,6 +18,11 @@ import (
 
 func (this *Server) handleUpload(w http.ResponseWriter, r *http.Request) {
 
+	if !this.opts.EnableUpload {
+		http.Error(w, "Server is read-only", 403)
+		return
+	}
+
 	remoteIP := this.remoteIP(r)
 
 	err := r.ParseMultipartForm(0) // buffer upload in temporary files on disk, not memory