From af5ca9ecf01b413ecaf63302ff22d269aa08a973 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 1 Aug 2022 00:57:02 +0800
Subject: [PATCH 1/3] Add disable download source configuration (#20548)

Add configuration to enable/disable download source from UI.

Co-authored-by: zeripath <art27@cantab.net>
---
 custom/conf/app.example.ini                        |  3 +++
 .../doc/advanced/config-cheat-sheet.en-us.md       |  1 +
 modules/setting/repository.go                      |  1 +
 modules/templates/base.go                          |  9 +++++----
 routers/web/web.go                                 |  9 ++++++++-
 templates/mail/release.tmpl                        |  2 ++
 templates/repo/branch/list.tmpl                    |  6 ++++--
 templates/repo/home.tmpl                           |  2 ++
 templates/repo/release/list.tmpl                   | 14 +++++++++-----
 9 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 4585966d6e04..eff20fa349f6 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -892,6 +892,9 @@ ROUTER = console
 ;; Allow deletion of unadopted repositories
 ;ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES = false
 
+;; Don't allow download source archive files from UI
+;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository.editor]
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 2f7bb3aa98af..f9f4a2fd98bc 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -78,6 +78,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `DEFAULT_BRANCH`: **main**: Default branch name of all repositories.
 - `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
 - `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
+- `DISABLE_DOWNLOAD_SOURCE_ARCHIVES`: **false**: Don't allow download source archive files from UI
 
 ### Repository - Editor (`repository.editor`)
 
diff --git a/modules/setting/repository.go b/modules/setting/repository.go
index 733bc6d90e60..d0406dbf9028 100644
--- a/modules/setting/repository.go
+++ b/modules/setting/repository.go
@@ -48,6 +48,7 @@ var (
 		DefaultBranch                           string
 		AllowAdoptionOfUnadoptedRepositories    bool
 		AllowDeleteOfUnadoptedRepositories      bool
+		DisableDownloadSourceArchives           bool
 
 		// Repository editor settings
 		Editor struct {
diff --git a/modules/templates/base.go b/modules/templates/base.go
index 282019f826c1..9563650e127b 100644
--- a/modules/templates/base.go
+++ b/modules/templates/base.go
@@ -35,10 +35,11 @@ func BaseVars() Vars {
 		"IsLandingPageExplore":       setting.LandingPageURL == setting.LandingPageExplore,
 		"IsLandingPageOrganizations": setting.LandingPageURL == setting.LandingPageOrganizations,
 
-		"ShowRegistrationButton":      setting.Service.ShowRegistrationButton,
-		"ShowMilestonesDashboardPage": setting.Service.ShowMilestonesDashboardPage,
-		"ShowFooterBranding":          setting.ShowFooterBranding,
-		"ShowFooterVersion":           setting.ShowFooterVersion,
+		"ShowRegistrationButton":        setting.Service.ShowRegistrationButton,
+		"ShowMilestonesDashboardPage":   setting.Service.ShowMilestonesDashboardPage,
+		"ShowFooterBranding":            setting.ShowFooterBranding,
+		"ShowFooterVersion":             setting.ShowFooterVersion,
+		"DisableDownloadSourceArchives": setting.Repository.DisableDownloadSourceArchives,
 
 		"EnableSwagger":      setting.API.EnableSwagger,
 		"EnableOpenIDSignIn": setting.Service.EnableOpenIDSignIn,
diff --git a/routers/web/web.go b/routers/web/web.go
index d594caf64340..b60433771547 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -289,6 +289,13 @@ func RegisterRoutes(m *web.Route) {
 		}
 	}
 
+	dlSourceEnabled := func(ctx *context.Context) {
+		if setting.Repository.DisableDownloadSourceArchives {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	}
+
 	// FIXME: not all routes need go through same middleware.
 	// Especially some AJAX requests, we can reduce middleware number to improve performance.
 	// Routers.
@@ -1096,7 +1103,7 @@ func RegisterRoutes(m *web.Route) {
 		m.Group("/archive", func() {
 			m.Get("/*", repo.Download)
 			m.Post("/*", repo.InitiateDownload)
-		}, repo.MustBeNotEmpty, reqRepoCodeReader)
+		}, repo.MustBeNotEmpty, dlSourceEnabled, reqRepoCodeReader)
 
 		m.Group("/branches", func() {
 			m.Get("", repo.Branches)
diff --git a/templates/mail/release.tmpl b/templates/mail/release.tmpl
index 813aba556ca4..c5c7185480b2 100644
--- a/templates/mail/release.tmpl
+++ b/templates/mail/release.tmpl
@@ -31,12 +31,14 @@
 		<br>
 		{{.i18n.Tr "mail.release.downloads"}}
 		<ul>
+			{{if not .DisableDownloadSourceArchives}}
 			<li>
 				<a href="{{.Release.Repo.Link}}/archive/{{.Release.TagName | PathEscapeSegments}}.zip" rel="nofollow"><strong>{{.i18n.Tr "mail.release.download.zip"}}</strong></a>
 			</li>
 			<li>
 				<a href="{{.Release.Repo.Link}}/archive/{{.Release.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow"><strong>{{.i18n.Tr "mail.release.download.targz"}}</strong></a>
 			</li>
+			{{end}}
 			{{if .Release.Attachments}}
 				{{range .Release.Attachments}}
 					<li>
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index 6c34ba4c1939..c51944ca5cbb 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -26,13 +26,15 @@
 										{{svg "octicon-git-branch"}}
 									</div>
 								{{end}}
-								<div class="ui basic jump dropdown icon button tooltip" data-content="{{$.i18n.Tr "repo.branch.download" ($.DefaultBranch)}}" data-position="top right">
+								{{if not $.DisableDownloadSourceArchives}}
+									<div class="ui basic jump dropdown icon button tooltip" data-content="{{$.i18n.Tr "repo.branch.download" ($.DefaultBranch)}}" data-position="top right">
 									{{svg "octicon-download"}}
 									<div class="menu">
 										<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
 										<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.DefaultBranch}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+										</div>
 									</div>
-								</div>
+								{{end}}
 							</td>
 						</tr>
 					</tbody>
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index 1a0323f5d182..4a0057be6d00 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -124,6 +124,7 @@
 				{{if eq $n 0}}
 					<div class="ui action tiny input" id="clone-panel">
 						{{template "repo/clone_buttons" .}}
+						{{if not .DisableDownloadSourceArchives}}
 						<button id="download-btn" class="ui basic jump dropdown icon button tooltip" data-content="{{.i18n.Tr "repo.download_archive"}}" data-position="top right">
 							{{svg "octicon-download"}}
 							<div class="menu">
@@ -133,6 +134,7 @@
 								<a class="item" href="vscode://vscode.git/clone?url={{$.RepoCloneLink.HTTPS}}">{{svg "gitea-vscode" 16 "mr-3"}}{{.i18n.Tr "repo.clone_in_vsc"}}</a>
 							</div>
 						</button>
+						{{end}}
 					</div>
 				{{end}}
 			</div>
diff --git a/templates/repo/release/list.tmpl b/templates/repo/release/list.tmpl
index 956c60ad78c6..57c7bc0c92e4 100644
--- a/templates/repo/release/list.tmpl
+++ b/templates/repo/release/list.tmpl
@@ -37,8 +37,10 @@
 								<div class="download df ac">
 									{{if $.Permission.CanRead $.UnitTypeCode}}
 										<a class="mr-3 mono" href="{{$.RepoLink}}/src/commit/{{.Sha1}}" rel="nofollow">{{svg "octicon-git-commit" 16 "mr-2"}}{{ShortSha .Sha1}}</a>
-										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}ZIP</a>
-										<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}TAR.GZ</a>
+										{{if not $.DisableDownloadSourceArchives}}
+											<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}ZIP</a>
+											<a class="archive-link mr-3" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-2"}}TAR.GZ</a>
+										{{end}}
 										{{if (and $.CanCreateRelease $release.IsTag)}}
 											<a class="mr-3" href="{{$.RepoLink}}/releases/new?tag={{.TagName}}">{{svg "octicon-tag" 16 "mr-2"}}{{$.i18n.Tr "repo.release.new_release"}}</a>
 										{{end}}
@@ -104,8 +106,10 @@
 							<div class="download">
 							{{if $.Permission.CanRead $.UnitTypeCode}}
 								<a class="mono" href="{{$.RepoLink}}/src/commit/{{.Sha1}}" rel="nofollow">{{svg "octicon-git-commit" 16 "mr-2"}}{{ShortSha .Sha1}}</a>
-								<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
-								<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+								{{if not $.DisableDownloadSourceArchives}}
+									<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;ZIP</a>
+									<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip"}}&nbsp;TAR.GZ</a>
+								{{end}}
 							{{end}}
 							</div>
 						{{else}}
@@ -146,7 +150,7 @@
 									{{$.i18n.Tr "repo.release.downloads"}}
 								</summary>
 								<ul class="list">
-									{{if and (not .IsDraft) ($.Permission.CanRead $.UnitTypeCode)}}
+									{{if and (not $.DisableDownloadSourceArchives) (not .IsDraft) ($.Permission.CanRead $.UnitTypeCode)}}
 										<li>
 											<a class="archive-link" href="{{$.RepoLink}}/archive/{{.TagName | PathEscapeSegments}}.zip" rel="nofollow"><strong>{{svg "octicon-file-zip" 16 "mr-2"}}{{$.i18n.Tr "repo.release.source_code"}} (ZIP)</strong></a>
 										</li>

From 2b3ba0f2a8a340d821748ec247149c6ed4a283f1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 7 Aug 2022 22:33:07 +0800
Subject: [PATCH 2/3] Fix BaseVars not used in renderering

---
 modules/context/context.go      | 2 +-
 templates/repo/branch/list.tmpl | 2 +-
 templates/repo/home.tmpl        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/context/context.go b/modules/context/context.go
index a199721197a8..d34dbb5e6483 100644
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -224,7 +224,7 @@ func (ctx *Context) HTML(status int, name base.TplName) {
 	ctx.Data["TemplateLoadTimes"] = func() string {
 		return strconv.FormatInt(time.Since(tmplStartTime).Nanoseconds()/1e6, 10) + "ms"
 	}
-	if err := ctx.Render.HTML(ctx.Resp, status, string(name), ctx.Data); err != nil {
+	if err := ctx.Render.HTML(ctx.Resp, status, string(name), templates.BaseVars().Merge(ctx.Data)); err != nil {
 		if status == http.StatusInternalServerError && name == base.TplName("status/500") {
 			ctx.PlainText(http.StatusInternalServerError, "Unable to find status/500 template")
 			return
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index c51944ca5cbb..4ae58ad3192f 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -112,7 +112,7 @@
 												{{svg "octicon-git-branch"}}
 											</div>
 										{{end}}
-										{{if (not .IsDeleted)}}
+										{{if and (not .IsDeleted) (not $.DisableDownloadSourceArchives)}}
 											<div class="ui basic jump dropdown icon button tooltip" data-content="{{$.i18n.Tr "repo.branch.download" (.Name)}}" data-position="top right">
 												{{svg "octicon-download"}}
 												<div class="menu">
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index e7d83eb5cecf..1609464cc951 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -125,7 +125,7 @@
 					<div class="ui action tiny input" id="clone-panel">
 						{{template "repo/clone_buttons" .}}
 						{{template "repo/clone_script" .}}
-						{{if not .DisableDownloadSourceArchives}}
+						{{if not $.DisableDownloadSourceArchives}}
 							<button id="download-btn" class="ui basic jump dropdown icon button tooltip" data-content="{{.i18n.Tr "repo.download_archive"}}" data-position="top right">
 								{{svg "octicon-download"}}
 								<div class="menu">

From 34d41befdfdc255ce1f0f9b308a264e69ff22f78 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 8 Aug 2022 23:27:55 +0800
Subject: [PATCH 3/3] Fix disabled open in vscode menu when disabling download
 source from UI

---
 templates/repo/home.tmpl | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index 1609464cc951..2ed87d8a91fe 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -125,17 +125,17 @@
 					<div class="ui action tiny input" id="clone-panel">
 						{{template "repo/clone_buttons" .}}
 						{{template "repo/clone_script" .}}
-						{{if not $.DisableDownloadSourceArchives}}
-							<button id="download-btn" class="ui basic jump dropdown icon button tooltip" data-content="{{.i18n.Tr "repo.download_archive"}}" data-position="top right">
-								{{svg "octicon-download"}}
-								<div class="menu">
+						<button id="download-btn" class="ui basic jump dropdown icon button tooltip" data-content="{{.i18n.Tr "repo.download_archive"}}" data-position="top right">
+							{{svg "octicon-download"}}
+							<div class="menu">
+								{{if not $.DisableDownloadSourceArchives}}
 									<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.BranchName}}.zip" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-3"}}{{.i18n.Tr "repo.download_zip"}}</a>
 									<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.BranchName}}.tar.gz" rel="nofollow">{{svg "octicon-file-zip" 16 "mr-3"}}{{.i18n.Tr "repo.download_tar"}}</a>
 									<a class="item archive-link" href="{{$.RepoLink}}/archive/{{PathEscapeSegments $.BranchName}}.bundle" rel="nofollow">{{svg "octicon-package" 16 "mr-3"}}{{.i18n.Tr "repo.download_bundle"}}</a>
-									<a class="item" href="vscode://vscode.git/clone?url={{$.RepoCloneLink.HTTPS}}">{{svg "gitea-vscode" 16 "mr-3"}}{{.i18n.Tr "repo.clone_in_vsc"}}</a>
-								</div>
-							</button>
-						{{end}}
+								{{end}}
+								<a class="item" href="vscode://vscode.git/clone?url={{$.RepoCloneLink.HTTPS}}">{{svg "gitea-vscode" 16 "mr-3"}}{{.i18n.Tr "repo.clone_in_vsc"}}</a>
+							</div>
+						</button>
 					</div>
 				{{end}}
 			</div>