From 0aef364f2a71447c5ea3040652452e3429b72028 Mon Sep 17 00:00:00 2001
From: Martin Mahner <martin@mahner.org>
Date: Thu, 16 May 2019 09:33:29 +0200
Subject: [PATCH] View Raw mode can be disabled

---
 CHANGELOG.rst                        |  1 +
 dpaste/apps.py                       |  3 +++
 dpaste/templates/dpaste/details.html |  2 +-
 dpaste/views.py                      | 17 +++++++++++++++--
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5b3d12b..5170df9 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -9,6 +9,7 @@ Changelog
 - Right-to-left support for text snippets.
 - dart-sass is now used for SASS compilation.
 - Updated lexer list.
+- "View Raw" feature can be disabled in app config to hinder abuse.
 
 .. _black: https://github.com/ambv/black
 
diff --git a/dpaste/apps.py b/dpaste/apps.py
index 38e455e..7e34f80 100644
--- a/dpaste/apps.py
+++ b/dpaste/apps.py
@@ -74,6 +74,9 @@ class dpasteAppConfig(AppConfig):
     # is from another user.
     ONETIME_LIMIT = 2
 
+    # Disable "view Raw" mode.
+    RAW_MODE_ENABLED = True
+
     # Lexers which have wordwrap enabled by default
     LEXER_WORDWRAP = ('rst',)
 
diff --git a/dpaste/templates/dpaste/details.html b/dpaste/templates/dpaste/details.html
index 90df3b7..035bd9c 100644
--- a/dpaste/templates/dpaste/details.html
+++ b/dpaste/templates/dpaste/details.html
@@ -33,7 +33,7 @@
     <li>
       <a href="#delete">{% trans "Delete Now" %}</a>
     </li>
-    {% if snippet.expire_type != 3 %}
+    {% if raw_mode and snippet.expire_type != 3 %}
       <li><a href="{% url "snippet_details_raw" snippet.secret_id %}">{% trans "View Raw" %}</a></li>
     {% endif %}
     {% if snippet.lexer != 'text' %}
diff --git a/dpaste/views.py b/dpaste/views.py
index fd0c0e5..d7f53e6 100644
--- a/dpaste/views.py
+++ b/dpaste/views.py
@@ -3,8 +3,13 @@ import difflib
 import json
 
 from django.apps import apps
-from django.http import (Http404, HttpResponse, HttpResponseBadRequest,
-                         HttpResponseRedirect)
+from django.http import (
+    Http404,
+    HttpResponse,
+    HttpResponseBadRequest,
+    HttpResponseRedirect,
+    HttpResponseForbidden,
+)
 from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.translation import ugettext
@@ -136,6 +141,7 @@ class SnippetDetailView(SnippetView, DetailView):
             {
                 'wordwrap': self.object.lexer in highlight.LEXER_WORDWRAP,
                 'diff': self.get_snippet_diff(),
+                'raw_mode': config.RAW_MODE_ENABLED,
             }
         )
         return ctx
@@ -146,6 +152,13 @@ class SnippetRawView(SnippetDetailView):
     Display the raw content of a snippet
     """
 
+    def dispatch(self, request, *args, **kwargs):
+        if not config.RAW_MODE_ENABLED:
+            return HttpResponseForbidden(
+                'This dpaste installation has Raw view mode disabled.'
+            )
+        return super(SnippetRawView, self).dispatch(request, *args, **kwargs)
+
     def render_to_response(self, context, **response_kwargs):
         snippet = self.get_object()
         response = HttpResponse(snippet.content)