feat(config): Add sysadmin level `encription.available` configfix/no-issues/add-encryption-available-config

This is important because a user who has admin permissions who is not a sysadmin
might enable encryption without knowing the full implications, the sysadmin
should be able to prevent this.

Signed-off-by: nfebe <fenn25.fn@gmail.com>

3 files changed, 24 insertions, 4 deletions

diff --git a/apps/settings/lib/Settings/Admin/Security.php b/apps/settings/lib/Settings/Admin/Security.php
index 72485b8f8f3..b737c5c7ac2 100644
--- a/apps/settings/lib/Settings/Admin/Security.php
+++ b/apps/settings/lib/Settings/Admin/Security.php
@@ -9,6 +9,7 @@ use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\Encryption\IManager;
+use OCP\IConfig;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
 use OCP\Settings\ISettings;
@@ -22,6 +23,7 @@ class Security implements ISettings {
 		MandatoryTwoFactor $mandatoryTwoFactor,
 		private IInitialState $initialState,
 		private IURLGenerator $urlGenerator,
+		private IConfig $config,
 	) {
 		$this->mandatoryTwoFactor = $mandatoryTwoFactor;
 	}
@@ -43,6 +45,7 @@ class Security implements ISettings {
 
 		$this->initialState->provideInitialState('mandatory2FAState', $this->mandatoryTwoFactor->getState());
 		$this->initialState->provideInitialState('two-factor-admin-doc', $this->urlGenerator->linkToDocs('admin-2fa'));
+		$this->initialState->provideInitialState('encryption-available', $this->config->getSystemValue('encryption.available', true));
 		$this->initialState->provideInitialState('encryption-enabled', $this->manager->isEnabled());
 		$this->initialState->provideInitialState('encryption-ready', $this->manager->isReady());
 		$this->initialState->provideInitialState('external-backends-enabled', count($this->userManager->getBackends()) > 1);
diff --git a/apps/settings/src/components/Encryption.vue b/apps/settings/src/components/Encryption.vue
index d8dcb5434b0..302cd0f41d2 100644
--- a/apps/settings/src/components/Encryption.vue
+++ b/apps/settings/src/components/Encryption.vue
@@ -99,6 +99,7 @@ export default {
 			logger.debug('No encryption module loaded or enabled')
 		}
 		return {
+			encryptionIsAvailable: loadState('settings', 'encryption-available', false),
 			encryptionReady: loadState('settings', 'encryption-ready', false),
 			encryptionEnabled: loadState('settings', 'encryption-enabled', false),
 			externalBackendsEnabled: loadState('settings', 'external-backends-enabled'),
@@ -112,12 +113,15 @@ export default {
 	},
 	methods: {
 		displayWarning() {
+			if (encryptionIsAvailable) {
+				this.encryptionEnabledToggleEffect()
+				showError(t('settings', 'File encryption is not allowed by system administrator.'))
+				logger.debug('File encryption is not allowed by system administrator.')
+				return
+			}
 			if (!this.hasEncryptionModules || !this.encryptionReady) {
-				this.encryptionEnabled = true
+				this.encryptionEnabledToggleEffect()
 				showError(t('settings', 'Encryption is not ready, please enable an encryption module/app.'))
-				setTimeout(() => {
-					this.encryptionEnabled = false
-				}, 1000)
 				return
 			}
 			if (!this.encryptionEnabled) {
@@ -127,6 +131,12 @@ export default {
 				this.shouldDisplayWarning = false
 			}
 		},
+		encryptionEnabledToggleEffect() {
+			this.encryptionEnabled = true
+			setTimeout(() => {
+				this.encryptionEnabled = false
+			}, 1000)
+		},
 		async update(key, value) {
 			await confirmPassword()
 
diff --git a/config/config.sample.php b/config/config.sample.php
index 2deb69a5c0b..e54a1b74a27 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -2589,4 +2589,11 @@ $CONFIG = [
  * Defaults to 5.
  */
 'files.chunked_upload.max_parallel_count' => 5,
+
+/**
+ * Allow server-side encryption.
+ * 
+ * Default is true, indicating that encryption is available or permitted by the system administrator.
+ */
+'encryption.available' => true,
 ];