From 40db52a91e5ef733d1416027ac583eaed53022fa Mon Sep 17 00:00:00 2001
From: Stuart Begley-Miller <shoeberto@gmail.com>
Date: Sat, 7 May 2022 06:54:04 +0000
Subject: [PATCH] Parameterize S3 default ACL when uploading objects.

---
 api/config/settings/common.py        | 14 +++++++++++++-
 changes/changelog.d/1319.enhancement |  1 +
 deploy/env.prod.sample               |  8 ++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 changes/changelog.d/1319.enhancement

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 9f2237e68..0be1e9fc6 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -468,7 +468,19 @@ It's recommended to keep this on, as a way to enforce access control, however,
 if you're using S3 storage with :attr:`AWS_QUERYSTRING_AUTH`,
 it's safe to disable it.
 """
-AWS_DEFAULT_ACL = None
+AWS_DEFAULT_ACL = env("AWS_DEFAULT_ACL", default=None)
+"""
+The default ACL to use when uploading files to an S3-compatible object storage 
+bucket.  
+
+ACLs and bucket policies are distinct concepts, and some storage 
+providers (ie Linode, Scaleway) will always apply the most restrictive between 
+a bucket's ACL and policy, meaning a default private ACL will supercede
+a relaxed bucket policy.
+
+If present, the value should be a valid canned ACL.
+See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+"""
 AWS_QUERYSTRING_AUTH = env.bool("AWS_QUERYSTRING_AUTH", default=not PROXY_MEDIA)
 """
 Whether to include signatures in S3 urls, as a way to enforce access-control.
diff --git a/changes/changelog.d/1319.enhancement b/changes/changelog.d/1319.enhancement
new file mode 100644
index 000000000..40a24231c
--- /dev/null
+++ b/changes/changelog.d/1319.enhancement
@@ -0,0 +1 @@
+Parameterize the default S3 ACL when uploading objects. (#1319)
diff --git a/deploy/env.prod.sample b/deploy/env.prod.sample
index 1e8a913a9..11b21dfe2 100644
--- a/deploy/env.prod.sample
+++ b/deploy/env.prod.sample
@@ -189,3 +189,11 @@ AWS_STORAGE_BUCKET_NAME=
 # valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days)
 
 # AWS_QUERYSTRING_EXPIRE=
+
+# If you are using an S3-compatible object storage provider, and need to provide a default
+# ACL for object uploads that is different from the default applied by boto3, you may
+# override it here. Example:
+#    AWS_DEFAULT_ACL=public-read
+# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+
+# AWS_DEFAULT_ACL=