NEW Restrict upload abilities in UploadField

forms/UploadField.php

@@ -81,6 +81,10 @@ class UploadField extends FileField {
 		 * @var int
 		 */
 		'allowedMaxFileNumber' => null,
+		/**
+		 * @var boolean Can the user upload new files, or just select from existing files.
+		 */
+		'canUpload' => true,
 		/**
 		 * @var int
 		 */
@@ -441,7 +445,9 @@ public function handleSelect(SS_HTTPRequest $request) {
 	 * @return string json
 	 */
 	public function upload(SS_HTTPRequest $request) {
-		if($this->isDisabled() || $this->isReadonly()) return $this->httpError(403);
+		if($this->isDisabled() || $this->isReadonly() || !$this->canUpload()) {
+			return $this->httpError(403);
+		}
 
 		// Protect against CSRF on destructive action
 		$token = $this->getForm()->getSecurityToken();
@@ -629,6 +635,12 @@ public function isSaveable() {
 		// Don't allow upload or edit of a relation when the underlying record hasn't been persisted yet
 		return (!$record || !$this->managesRelation() || $record->exists());
 	}
+
+	public function canUpload() {
+		$can = $this->getConfig('canUpload');
+		return (is_bool($can)) ? $can : Permission::check($can);
+	}
+
 }
 
 /**

scss/UploadField.scss

@@ -47,11 +47,12 @@
 				border: 2px dashed $color-medium-separator;
 				background: $color-light-separator;
 				display: none;
+				margin-right: 15px;
 			}
 		}
 		.ss-uploadfield-item-info {
-			margin: 0 0 0 100px;
-
+			float: left;
+			
 			.ss-uploadfield-item-name {
 				display: block;
 				line-height: 13px;

templates/UploadField.ss

@@ -34,13 +34,15 @@
 	<% end_if %>
 <% else %>
 	<div class="ss-uploadfield-item ss-uploadfield-addfile<% if $Items && $displayInput %> borderTop<% end_if %>" <% if not $displayInput %>style="display: none;"<% end_if %>>
+		<% if canUpload %>
 		<div class="ss-uploadfield-item-preview ss-uploadfield-dropzone ui-corner-all">
 				<% if $multiple %>
 					<% _t('UploadField.DROPFILES', 'drop files') %>
 				<% else %>
 					<% _t('UploadField.DROPFILE', 'drop a file') %>
 				<% end_if %>
 		</div>
+		<% end_if %>
 		<div class="ss-uploadfield-item-info">
 			<label class="ss-uploadfield-item-name"><b>
 				<% if $multiple %>
@@ -49,10 +51,12 @@
 					<% _t('UploadField.ATTACHFILE', 'Attach a file') %>
 				<% end_if %>
 			</b></label>
-			<label class="ss-uploadfield-fromcomputer ss-ui-button ui-corner-all" data-icon="drive-upload">
-				<% _t('UploadField.FROMCOMPUTER', 'From your computer') %>
-				<input id="$id" name="$getName" class="$extraClass ss-uploadfield-fromcomputer-fileinput" data-config="$configString" type="file"<% if $multiple %> multiple="multiple"<% end_if %> />
-			</label>
+			<% if canUpload %>
+				<label class="ss-uploadfield-fromcomputer ss-ui-button ui-corner-all" data-icon="drive-upload">
+					<% _t('UploadField.FROMCOMPUTER', 'From your computer') %>
+					<input id="$id" name="$getName" class="$extraClass ss-uploadfield-fromcomputer-fileinput" data-config="$configString" type="file"<% if $multiple %> multiple="multiple"<% end_if %> />
+				</label>			
+			<% end_if %>
 			<button class="ss-uploadfield-fromfiles ss-ui-button ui-corner-all" data-icon="network-cloud"><% _t('UploadField.FROMFILES', 'From files') %></button>
 			<% if not $autoUpload %>
 				<button class="ss-uploadfield-startall ss-ui-button ui-corner-all" data-icon="navigation"><% _t('UploadField.STARTALL', 'Start all') %></button>

tests/forms/uploadfield/UploadFieldTest.php

@@ -476,6 +476,42 @@ public function testDisabled() {
 
 	}
 
+	public function testCanUpload() {
+		$this->loginWithPermission('ADMIN');
+		$response = $this->get('UploadFieldTest_Controller');
+		$this->assertFalse($response->isError());
+
+		$parser = new CSSContentParser($response->getBody());
+		$this->assertFalse(
+			(bool)$parser->getBySelector('#CanUploadFalseField .ss-uploadfield-fromcomputer-fileinput'),
+			'Removes input file control'
+		);
+		$this->assertFalse((bool)$parser->getBySelector('#CanUploadFalseField .ss-uploadfield-dropzone'),
+			'Removes dropzone');
+		$this->assertTrue(
+			(bool)$parser->getBySelector('#CanUploadFalseField .ss-uploadfield-fromfiles'),
+			'Keeps "From files" button'
+		);
+	}	
+
+	public function testCanUploadWithPermissionCode() {
+		$field = new UploadField('MyField');
+
+		$field->setConfig('canUpload', true);
+		$this->assertTrue($field->canUpload());
+
+		$field->setConfig('canUpload', false);
+		$this->assertFalse($field->canUpload());
+
+		$this->loginWithPermission('ADMIN');
+
+		$field->setConfig('canUpload', false);
+		$this->assertFalse($field->canUpload());
+
+		$field->setConfig('canUpload', 'ADMIN');
+		$this->assertTrue($field->canUpload());
+	}
+
 	public function testIsSaveable() {
 		$form = $this->getMockForm();
 
@@ -775,6 +811,10 @@ public function Form() {
 		$fieldSubfolder->setFolderName('UploadFieldTest/subfolder1');
 		$fieldSubfolder->setRecord($record);
 
+		$fieldCanUploadFalse = new UploadField('CanUploadFalseField');
+		$fieldCanUploadFalse->setConfig('canUpload', false);
+		$fieldCanUploadFalse->setRecord($record);
+
 		$form = new Form(
 			$this,
 			'Form',
@@ -789,7 +829,8 @@ public function Form() {
 				$fieldManyMany,
 				$fieldReadonly,
 				$fieldDisabled,
-				$fieldSubfolder
+				$fieldSubfolder,
+				$fieldCanUploadFalse
 			),
 			new FieldList(
 				new FormAction('submit')
@@ -805,7 +846,8 @@ public function Form() {
 				'ManyManyFiles',
 				'ReadonlyField',
 				'DisabledField',
-				'SubfolderField'
+				'SubfolderField',
+				'CanUploadFalseField'
 			)
 		);
 		return $form;