RestrictAttachments

From Request Tracker Wiki
Jump to navigation Jump to search

Restricting Attachments in RT

Existing Attachment Restrictions

RT has existing config options to set a maximum file size for attachments, and if files exceeding this size limit should be truncated or dropped.

See config options:

Restricting attachment types

RT (as of 6.0.2) does not currently have a way to restrict attachments only to specific types, and there is no easy way to disable all attachments.

There are two methods to customise RT to restrict file attachments, depending on where you need to restrict:

  1. Restrict which file types can be uploaded via the web interface (When users upload attachments)
  2. Add a back-end overlay which restricts which attachment types will be stored globally, including via email, or any transaction involving attachments.


1. Restricting via RT Web Interface

RT uses the JavaScript library Dropzone in the web UI to handle file uploads.

Dropzone has an option acceptedFiles to limit the file type and/or extensions accepted.

This checks the file's MIME type or extension against this list. This is a comma separated list of MIME types or file extensions, e.g., The following would allow all image files, any file with MIME type application/pdf, and any file with extension .csv. All other file types will be rejected: 

acceptedFiles: image/*,application/pdf,.csv

Implementing in RT (6.0.2 and possibly older)

  • Install local modified version of AddAttachments Mason template. From your RT directory, e.g. (/opt/rt6)
 # cd /opt/rt6
 # mkdir -p local/html/Ticket/Elements
 # cd local/html/Ticket/Elements
 # wget https://gist.githubusercontent.com/listerr/b274f2ae0529ffeb337e5a1c0c6ce017/raw/3721f96ae4d9ff36777c4e7fb0cf6a9a616ffbb3/AddAttachments
  • Add the following new RT config option to your RT_SiteConfig.d files, e.g.: /opt/rt6/etc/RT_SiteConfig.d/20-RT_AttachmentRestrict.pm :
 Set($AcceptedFiles, 'image/*,application/pdf,.csv');
  • Clear the Mason cache and restart everything.


NOTE: This will vary depending on your installation of RT and OS/Distro, e.g. if you installed RT from source or using a package manager. Mine (on nginx and systemd) looks something like this: 

 # service nginx stop 
 # systemctl stop rt-server.socket 
 # systemctl stop rt-server.service 
 # rm -rf /opt/rt6/var/mason_data/obj 
 # systemctl start rt-server.socket
 # systemctl start rt-server.service
 # service nginx start

One-line version: 

# service nginx stop && systemctl stop rt-server.socket && systemctl stop rt-server.service && rm -rf /opt/rt6/var/mason_data/obj && systemctl start rt-server.socket && systemctl start rt-server.service && service nginx start

NOTES:

  • This method will not restrict attachments added outside the web interface, or not using Dropzone.
  • RT has a config option, $PreferDropzone which is enabled by default. However, users can change this option in their preferences to disable Dropzone. This modified AddAttachments ignores the user preference setting to prevent users bypassing attachment restrictions by disabling Dropzone.
  • You may need to check this template when upgrading to new releases/updates of RT. The installed version is in share/html/Ticket/Elements/AddAttachments by default.
  • This may be a little inflexible because it applies globally for all attachment uploads. It would need further modifications, for example, to apply only to some queues but not others, or to allow different restrictions depending on user or queue.

2. Restricting via RT backend

Alternative method is to restrict attachments when they are processed by the RT backend. This will restrict all attachments received via email and the web interface.

This overrides the method RT::Record::_EncodeLOB to reject attachments using the same method as the existing $MaxAttachmentSize option.

Implementing in RT (6.0.2 and possibly older)

  • Install local modified version of Record_Local.pm. From your RT directory, e.g. (/opt/rt6)
 # cd /opt/rt6
 # mkdir -p local/lib/RT
 # cd local/lib/RT
 # wget https://gist.githubusercontent.com/listerr/4e1d697884528a30b2bea2b6e531199f/raw/d7c1f5fc74c3ef0c54c6b4d4d42110f962ee34cc/Record_Local.pm
  • Add the following new RT config option(s) to your RT_SiteConfig.d files, e.g.: /opt/rt6/etc/RT_SiteConfig.d/20-RT_AttachmentRestrict.pm. You can use one or both of these options. MIME type is usually more flexible than listing lots of different file extensions.
# Regexp to restrict by MIME Type:
Set($AttachmentTypeAllowRegexp,qr{^(application/pdf|image/jpeg|image/pjpeg)$});
 
# Regexp to restrict on filename/extension:
Set($AttachmentNameAllowRegexp,qr{\.(doc|png)$});
  • Restart RT.

NOTES:

  • This method will still allow files to be uploaded via the Web interface - attachments are only rejected once RT tries to add them to a ticket. This means a correspondence will still be sent, but without the file attachment. A warning will appear on the ticket to show the attachment was rejected.
  • Deleting file attachments involves changing the message structure (e.g. unpacking the entire message, removing the unwanted part(s) and creating a new message with the correct MIME headers etc.) This is quite a complex process. For this reason, RT does not remove the attachment, but instead replaces it with a .txt part with the message attachment type .... dropped - file type not permitted

3. Disable file attachments in web frontend

To completely disable file attachments in the web frontend:

  • Follow the instructions above for Restricting via RT Web Interface.
  • Add the following new RT config option to your RT_SiteConfig.d files, e.g.: /opt/rt6/etc/RT_SiteConfig.d/20-RT_AttachmentRestrict.pm :
 Set($DisableAttachments, 1);
  • Clear the Mason cache and restart everything.


Notes/TODO

  • Possibly package this as an Extension if it proves useful.
  • More examples of regexp matches
Retrieved from "https://rt-wiki.bestpractical.com/index.php?title=RestrictAttachments&oldid=27253"