Add optional mode argument to persist_uploaded_file

This change adds an optional `mode` argument to the `persist_uploaded_file` function, allowing users to specify the Unix file permissions in octal notation when saving uploaded files.

- Updated `sqlpage.persist_uploaded_file` signature to include `mode`.
- Implemented permission setting logic using `std::os::unix::fs::PermissionsExt` (on Unix platforms).
- Default permission is set to "600" (octal `0o600`).
- Added documentation for the new parameter in `examples/official-site/sqlpage/migrations/39_persist_uploaded_file.sql`, including an explanation of octal notation and a link to Wikipedia.
- Added a unit test `test_set_file_mode` to verify the permission setting logic.

Co-authored-by: lovasoa <552629+lovasoa@users.noreply.github.com>

Author: google-labs-jules[bot]

examples/official-site/sqlpage/migrations/39_persist_uploaded_file.sql

@@ -62,4 +62,14 @@ VALUES (
         'Optional. Comma-separated list of allowed file extensions. By default: jpg,jpeg,png,gif,bmp,webp,pdf,txt,doc,docx,xls,xlsx,csv,mp3,mp4,wav,avi,mov.
 Changing this may be dangerous ! If you add "sql", "svg" or "html" to the list, an attacker could execute arbitrary SQL queries on your database, or impersonate other users.',
         'TEXT'
+    ),
+    (
+        'persist_uploaded_file',
+        4,
+        'mode',
+        'Optional. Unix permissions to set on the file, in octal notation. By default, the file will be saved with "600" (read/write for the owner only).
+Octal notation works by using three digits from 0 to 7: the first for the owner, the second for the group, and the third for others.
+For example, "644" means read/write for the owner, and read-only for others.
+[Learn more about numeric notation for file-system permissions on Wikipedia](https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation).',
+        'TEXT'
     );

src/webserver/database/sqlpage_functions/functions.rs

@@ -42,7 +42,7 @@ super::function_definition_macro::sqlpage_functions! {
     link(file: Cow<str>, parameters: Option<Cow<str>>, hash: Option<Cow<str>>);
 
     path((&RequestInfo));
-    persist_uploaded_file((&RequestInfo), field_name: Cow<str>, folder: Option<Cow<str>>, allowed_extensions: Option<Cow<str>>);
+    persist_uploaded_file((&RequestInfo), field_name: Cow<str>, folder: Option<Cow<str>>, allowed_extensions: Option<Cow<str>>, mode: Option<Cow<str>>);
     protocol((&RequestInfo));
 
     random_string(string_length: SqlPageFunctionParam<usize>);
@@ -420,6 +420,7 @@ async fn persist_uploaded_file<'a>(
     field_name: Cow<'a, str>,
     folder: Option<Cow<'a, str>>,
     allowed_extensions: Option<Cow<'a, str>>,
+    mode: Option<Cow<'a, str>>,
 ) -> anyhow::Result<Option<String>> {
     let folder = folder.unwrap_or(Cow::Borrowed("uploads"));
     let allowed_extensions_str =
@@ -456,6 +457,7 @@ async fn persist_uploaded_file<'a>(
                 target_path.display()
             )
         })?;
+    set_file_mode(&target_path, mode.as_deref()).await?;
     // remove the WEB_ROOT prefix from the path, but keep the leading slash
     let path = "/".to_string()
         + target_path
@@ -475,6 +477,28 @@ async fn protocol(request: &RequestInfo) -> &str {
     &request.protocol
 }
 
+async fn set_file_mode(path: &std::path::Path, mode: Option<&str>) -> anyhow::Result<()> {
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let mode = if let Some(mode) = mode {
+            u32::from_str_radix(mode, 8)
+                .with_context(|| format!("unable to parse file mode {mode:?} as an octal number"))?
+        } else {
+            0o600
+        };
+        tokio::fs::set_permissions(path, std::fs::Permissions::from_mode(mode))
+            .await
+            .with_context(|| format!("unable to set permissions on {}", path.display()))?;
+    }
+    #[cfg(not(unix))]
+    {
+        let _ = path;
+        let _ = mode;
+    }
+    Ok(())
+}
+
 /// Returns a random string of the specified length.
 pub(crate) async fn random_string(len: usize) -> anyhow::Result<String> {
     // OsRng can block on Linux, so we run this on a blocking thread.
@@ -660,6 +684,38 @@ async fn test_hash_password() {
     assert!(s.starts_with("$argon2"));
 }
 
+#[tokio::test]
+async fn test_set_file_mode() {
+    let tmp_dir = std::env::temp_dir();
+    let tmp_file = tmp_dir.join("test_set_file_mode.txt");
+    tokio::fs::write(&tmp_file, b"test").await.unwrap();
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+
+        set_file_mode(&tmp_file, Some("644")).await.unwrap();
+        let metadata = tokio::fs::metadata(&tmp_file).await.unwrap();
+        assert_eq!(metadata.permissions().mode() & 0o777, 0o644);
+
+        set_file_mode(&tmp_file, Some("755")).await.unwrap();
+        let metadata = tokio::fs::metadata(&tmp_file).await.unwrap();
+        assert_eq!(metadata.permissions().mode() & 0o777, 0o755);
+
+        set_file_mode(&tmp_file, None).await.unwrap();
+        let metadata = tokio::fs::metadata(&tmp_file).await.unwrap();
+        assert_eq!(metadata.permissions().mode() & 0o777, 0o600);
+    }
+
+    #[cfg(not(unix))]
+    {
+        set_file_mode(&tmp_file, Some("644")).await.unwrap();
+        set_file_mode(&tmp_file, None).await.unwrap();
+    }
+
+    tokio::fs::remove_file(&tmp_file).await.unwrap();
+}
+
 async fn uploaded_file_mime_type<'a>(
     request: &'a RequestInfo,
     upload_name: Cow<'a, str>,