Add disable download source configuration (#20548)

Add configuration to enable/disable download source from UI.

Co-authored-by: zeripath <art27@cantab.net>

9 files changed, 39 insertions, 16 deletions

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 1c6a7e3b7c..ac0c9e9c86 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -879,6 +879,9 @@ ROUTER = console
 ;; Allow deletion of unadopted repositories
 ;ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES = false
 
+;; Don't allow download source archive files from UI
+;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository.editor]
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index cb2b9526d7..e4e7ad7b19 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -78,6 +78,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `DEFAULT_BRANCH`: **main**: Default branch name of all repositories.
 - `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
 - `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
+- `DISABLE_DOWNLOAD_SOURCE_ARCHIVES`: **false**: Don't allow download source archive files from UI
 
 ### Repository - Editor (`repository.editor`)
 
diff --git a/modules/setting/repository.go b/modules/setting/repository.go
index 733bc6d90e..d0406dbf90 100644
--- a/modules/setting/repository.go
+++ b/modules/setting/repository.go
@@ -48,6 +48,7 @@ var (
 		DefaultBranch                           string
 		AllowAdoptionOfUnadoptedRepositories    bool
 		AllowDeleteOfUnadoptedRepositories      bool
+		DisableDownloadSourceArchives           bool
 
 		// Repository editor settings
 		Editor struct {
diff --git a/modules/templates/base.go b/modules/templates/base.go
index 282019f826..9563650e12 100644
--- a/modules/templates/base.go
+++ b/modules/templates/base.go
@@ -35,10 +35,11 @@ func BaseVars() Vars {
 		"IsLandingPageExplore":       setting.LandingPageURL == setting.LandingPageExplore,
 		"IsLandingPageOrganizations": setting.LandingPageURL == setting.LandingPageOrganizations,
 
-		"ShowRegistrationButton":      setting.Service.ShowRegistrationButton,
-		"ShowMilestonesDashboardPage": setting.Service.ShowMilestonesDashboardPage,
-		"ShowFooterBranding":          setting.ShowFooterBranding,
-		"ShowFooterVersion":           setting.ShowFooterVersion,
+		"ShowRegistrationButton":        setting.Service.ShowRegistrationButton,
+		"ShowMilestonesDashboardPage":   setting.Service.ShowMilestonesDashboardPage,
+		"ShowFooterBranding":            setting.ShowFooterBranding,
+		"ShowFooterVersion":             setting.ShowFooterVersion,
+		"DisableDownloadSourceArchives": setting.Repository.DisableDownloadSourceArchives,
 
 		"EnableSwagger":      setting.API.EnableSwagger,
 		"EnableOpenIDSignIn": setting.Service.EnableOpenIDSignIn,
diff --git a/routers/web/web.go b/routers/web/web.go
index b4e8666c44..a9f43fb2c4 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -290,6 +290,13 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
+	dlSourceEnabled := func(ctx *context.Context) {
+		if setting.Repository.DisableDownloadSourceArchives {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	}
+
 	// FIXME: not all routes need go through same middleware.
 	// Especially some AJAX requests, we can reduce middleware number to improve performance.
 	// Routers.
@@ -1106,7 +1113,7 @@ func RegisterRoutes(m *web.Route) {
 		m.Group("/archive", func() {
 			m.Get("/*", repo.Download)
 			m.Post("/*", repo.InitiateDownload)
-		}, repo.MustBeNotEmpty, reqRepoCodeReader)
+		}, repo.MustBeNotEmpty, dlSourceEnabled, reqRepoCodeReader)
 
 		m.Group("/branches", func() {
 			m.Get("", repo.Branches)
diff --git a/templates/mail/release.tmpl b/templates/mail/release.tmpl
index a95647105c..931c0d1b54 100644
--- a/templates/mail/release.tmpl
+++ b/templates/mail/release.tmpl
@@ -31,12 +31,14 @@
 		<br>
 		{{.locale.Tr "mail.release.downloads"}}
 		<ul>
+			{{if not .DisableDownloadSourceArchives}}
 			<li>
 				<a href="{{.Release.Repo.Link}}/archive/{{.Release.TagName | PathEscapeSegments}}.zip" rel="nofollow"><strong>{{.locale.Tr "mail.release.download.zip"}}</strong></a>
 			</li>
 			<li>
 				<a href="{{.Release.Repo.Link}}/archive/{{.Release.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow"><strong>{{.locale.Tr "mail.release.download.targz"}}</strong></a>
 			</li>
+			{{end}}
 			{{if .Release.Attachments}}
 				{{range .Release.Attachments}}
 					<li>
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index 82b88a00ba..4a85692a83 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -26,13 +26,15 @@
 										{{svg "octicon-git-branch"}}
 									</div>
 								{{end}}
-								<div class="ui basic jump dropdown icon button tooltip" data-content="{{$.locale.Tr "repo.branch.download" ($.DefaultBranch)}}" data-position="top right">
-									{{svg "octicon-download"}}
-									<div class="menu">
-										<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
-										<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+								{{if not $.DisableDownloadSourceArchives}}
+									<div class="ui basic jump dropdown icon button tooltip" data-content="{{$.locale.Tr "repo.branch.download" ($.DefaultBranch)}}" data-position="top right">
+										{{svg "octicon-download"}}
+										<div class="menu">
+											<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
+											<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+										</div>
 									</div>
-								</div>
+								{{end}}
 							</td>
 						</tr>
 					</tbody>
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index 5e1af447a4..825eaed111 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -124,6 +124,7 @@
 				{{if eq $n 0}}
 					<div class="ui action tiny input" id="clone-panel">
 						{{template "repo/clone_buttons" .}}
+						{{if not .DisableDownloadSourceArchives}}
 						<button id="download-btn" class="ui basic jump dropdown icon button tooltip" data-content="{{.locale.Tr "repo.download_archive"}}" data-position="top right">
 							{{svg "octicon-download"}}
 							<div class="menu">
@@ -133,6 +134,7 @@
 								<a class="item" href="vscode://vscode.git/clone?url={{$.RepoCloneLink.HTTPS}}">{{svg "gitea-vscode" 16 "mr-3"}}{{.locale.Tr "repo.clone_in_vsc"}}</a>
 							</div>
 						</button>
+						{{end}}
 					</div>
 				{{end}}
 			</div>
diff --git a/templates/repo/release/list.tmpl b/templates/repo/release/list.tmpl
index 58869d470c..4eb099129a 100644
--- a/templates/repo/release/list.tmpl
+++ b/templates/repo/release/list.tmpl
@@ -37,8 +37,10 @@
 								<div class="download df ac">
 									{{if $.Permission.CanRead $.UnitTypeCode}}
 										<a class="mr-3 mono" href="{{$.RepoLink}}/src/commit/{{.Sha1}}" rel="nofollow">{{svg "octicon-git-commit" 16 "mr-2"}}{{ShortSha .Sha1}}</a>
-										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}ZIP</a>
-										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}TAR.GZ</a>
+										{{if not $.DisableDownloadSourceArchives}}
+											<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}ZIP</a>
+											<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}TAR.GZ</a>
+										{{end}}
 										{{if (and $.CanCreateRelease $release.IsTag)}}
 											<a class="mr-3" href="{{$.RepoLink}}/releases/new?tag={{.TagName}}">{{svg "octicon-tag" 16 "mr-2"}}{{$.locale.Tr "repo.release.new_release"}}</a>
 										{{end}}
@@ -104,8 +106,10 @@
 							<div class="download">
 							{{if $.Permission.CanRead $.UnitTypeCode}}
 								<a class="mono" href="{{$.RepoLink}}/src/commit/{{.Sha1}}" rel="nofollow">{{svg "octicon-git-commit" 16 "mr-2"}}{{ShortSha .Sha1}}</a>
-								<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
-								<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+								{{if not $.DisableDownloadSourceArchives}}
+									<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
+									<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+								{{end}}
 							{{end}}
 							</div>
 						{{else}}
@@ -146,7 +150,7 @@
 									{{$.locale.Tr "repo.release.downloads"}}
 								</summary>
 								<ul class="list">
-									{{if and (not .IsDraft) ($.Permission.CanRead $.UnitTypeCode)}}
+									{{if and (not $.DisableDownloadSourceArchives) (not .IsDraft) ($.Permission.CanRead $.UnitTypeCode)}}
 										<li>
 											<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow"><strong>{{svg "octicon-file-zip" 16 "mr-2"}}{{$.locale.Tr "repo.release.source_code"}} (ZIP)</strong></a>
 										</li>