[1035] Fix S3 attachment uploads for ACL-disabled buckets (#264)

IhorMasechko · Ihor Masechko · web-flow · commit 310f0d92aecd · 2026-03-24T14:45:43.000+01:00
fix(uploadfs): disable S3 ACL usage for attachment uploads

## Summary
- Fixes Apostrophe attachment upload failures caused by S3 buckets with
ACLs disabled (`AccessControlListNotSupported`).
- Updates `@apostrophecms/uploadfs` config to avoid sending ACL by
default (`acl: null`) unless explicitly provided via `APOS_S3_ACL`.
- Makes S3 `endpoint`, `style`, and `https` options optional so
production AWS S3 works without LocalStack-specific env vars.
- Aligns local LocalStack bucket initialization with `APOS_S3_BUCKET` to
prevent local `NoSuchBucket` errors.

## Root Cause
Uploads were sending ACL-related settings to buckets configured with
Object Ownership that disallows ACLs, causing `500` errors from
`/api/v1/@apostrophecms/attachment/upload`.

## Validation
- Verified local upload now succeeds.
- Confirmed previous ACL error is no longer triggered.
- Confirmed local bucket mismatch issue was resolved for development
environment.

## Notes
- `docker-compose.yml` LocalStack bucket change is development-only.
- Production impact comes from `uploadfs` ACL/config handling changes.
- For production, keep `APOS_S3_ACL` unset unless explicitly needed.

&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;

Updated S3 upload configuration in the uploadfs module to support
buckets with ACLs disabled. This change makes endpoint, style, and https
options conditional (only set when corresponding environment variables
are present) and defaults the ACL setting to null unless APOS_S3_ACL is
explicitly configured, preventing AccessControlListNotSupported errors
during attachment uploads.

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;

Co-authored-by: Ihor Masechko &lt;ihormasechko@Ihors-MacBook-Air.local&gt;
diff --git a/website/modules/@apostrophecms/uploadfs/index.js b/website/modules/@apostrophecms/uploadfs/index.js
@@ -1,21 +1,33 @@
 const { getEnv } = require('../../../utils/env');
 
 const aposS3Secret = process.env.APOS_S3_SECRET;
-const aposS3Https = getEnv('APOS_S3_HTTPS');
+const aposS3Endpoint = process.env.APOS_S3_ENDPOINT;
+const aposS3Style = process.env.APOS_S3_STYLE;
+const aposS3Https = process.env.APOS_S3_HTTPS;
 
 const uploadfsOptions = {
   storage: 's3',
   bucket: getEnv('APOS_S3_BUCKET'),
   region: getEnv('APOS_S3_REGION'),
-  endpoint: getEnv('APOS_S3_ENDPOINT'),
-  style: getEnv('APOS_S3_STYLE'),
-  https: aposS3Https.toLowerCase() === 'true',
+  acl: process.env.APOS_S3_ACL || null,
   cdn: {
     enabled: true,
     url: getEnv('APOS_CDN_URL'),
   },
 };
 
+if (aposS3Endpoint) {
+  uploadfsOptions.endpoint = aposS3Endpoint;
+}
+
+if (aposS3Style) {
+  uploadfsOptions.style = aposS3Style;
+}
+
+if (aposS3Https) {
+  uploadfsOptions.https = aposS3Https.toLowerCase() === 'true';
+}
+
 if (aposS3Secret) {
   uploadfsOptions.secret = aposS3Secret;
   uploadfsOptions.key = getEnv('APOS_S3_KEY');
