lint

apps/client/public/locales/en-US/translation.json

@@ -407,6 +407,21 @@
   "Share deleted successfully": "Share deleted successfully",
   "Share not found": "Share not found",
   "Failed to share page": "Failed to share page",
+  "Disable public sharing": "Disable public sharing",
+  "Prevent members from sharing pages publicly.": "Prevent members from sharing pages publicly.",
+  "Toggle public sharing": "Toggle public sharing",
+  "Toggle space public sharing": "Toggle space public sharing",
+  "Public sharing is disabled at the workspace level": "Public sharing is disabled at the workspace level",
+  "Prevent pages in this space from being shared publicly.": "Prevent pages in this space from being shared publicly.",
+  "Requires an enterprise license": "Requires an enterprise license",
+  "Enable public sharing": "Enable public sharing",
+  "Are you sure you want to enable public sharing? Members will be able to share pages publicly.": "Are you sure you want to enable public sharing? Members will be able to share pages publicly.",
+  "Are you sure you want to disable public sharing? All existing shared links in this workspace will be deleted.": "Are you sure you want to disable public sharing? All existing shared links in this workspace will be deleted.",
+  "Are you sure you want to enable public sharing for this space?": "Are you sure you want to enable public sharing for this space?",
+  "Are you sure you want to disable public sharing? All existing shared links in this space will be deleted.": "Are you sure you want to disable public sharing? All existing shared links in this space will be deleted.",
+  "Public sharing is disabled": "Public sharing is disabled",
+  "Public sharing has been disabled at the workspace level.": "Public sharing has been disabled at the workspace level.",
+  "Public sharing has been disabled for this space.": "Public sharing has been disabled for this space.",
   "Copy page": "Copy page",
   "Copy page to a different space.": "Copy page to a different space.",
   "Page copied successfully": "Page copied successfully",

apps/client/src/ee/hooks/use-enterprise-access.tsx

@@ -0,0 +1,12 @@
+import { isCloud } from "@/lib/config";
+import useLicense from "@/ee/hooks/use-license";
+import usePlan from "@/ee/hooks/use-plan";
+
+const useEnterpriseAccess = () => {
+  const { hasLicenseKey } = useLicense();
+  const { isBusiness } = usePlan();
+
+  return (isCloud() && isBusiness) || (!isCloud() && hasLicenseKey);
+};
+
+export default useEnterpriseAccess;

apps/client/src/ee/security/components/disable-public-sharing.tsx

@@ -0,0 +1,88 @@
+import { Group, Text, Switch, Tooltip } from "@mantine/core";
+import { modals } from "@mantine/modals";
+import { useAtom } from "jotai";
+import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
+import React, { useState } from "react";
+import { useTranslation } from "react-i18next";
+import { updateWorkspace } from "@/features/workspace/services/workspace-service.ts";
+import { notifications } from "@mantine/notifications";
+import useEnterpriseAccess from "@/ee/hooks/use-enterprise-access.tsx";
+
+export default function DisablePublicSharing() {
+  const { t } = useTranslation();
+
+  return (
+    <Group justify="space-between" wrap="nowrap" gap="xl">
+        <div>
+          <Text size="md">{t("Disable public sharing")}</Text>
+          <Text size="sm" c="dimmed">
+            {t("Prevent members from sharing pages publicly.")}
+          </Text>
+        </div>
+
+        <DisablePublicSharingToggle />
+    </Group>
+  );
+}
+
+function DisablePublicSharingToggle() {
+  const { t } = useTranslation();
+  const [workspace, setWorkspace] = useAtom(workspaceAtom);
+  const [checked, setChecked] = useState(
+    workspace?.settings?.sharing?.disabled === true,
+  );
+  const hasAccess = useEnterpriseAccess();
+
+  const applyChange = async (value: boolean) => {
+    try {
+      const updatedWorkspace = await updateWorkspace({
+        disablePublicSharing: value,
+      });
+      setChecked(value);
+      setWorkspace(updatedWorkspace);
+    } catch (err) {
+      notifications.show({
+        message: err?.response?.data?.message,
+        color: "red",
+      });
+    }
+  };
+
+  const handleChange = (event: React.ChangeEvent<HTMLInputElement>) => {
+    const value = event.currentTarget.checked;
+
+    modals.openConfirmModal({
+      title: value ? t("Disable public sharing") : t("Enable public sharing"),
+      children: (
+        <Text size="sm">
+          {value
+            ? t(
+                "Are you sure you want to disable public sharing? All existing shared links in this workspace will be deleted.",
+              )
+            : t(
+                "Are you sure you want to enable public sharing? Members will be able to share pages publicly.",
+              )}
+        </Text>
+      ),
+      centered: true,
+      labels: { confirm: t("Confirm"), cancel: t("Cancel") },
+      confirmProps: value ? { color: "red" } : {},
+      onConfirm: () => applyChange(value),
+    });
+  };
+
+  return (
+    <Tooltip
+      label={t("Requires an enterprise license")}
+      disabled={hasAccess}
+      refProp="rootRef"
+    >
+      <Switch
+        checked={checked}
+        onChange={handleChange}
+        disabled={!hasAccess}
+        aria-label={t("Toggle public sharing")}
+      />
+    </Tooltip>
+  );
+}

apps/client/src/ee/security/components/enforce-mfa.tsx

@@ -10,23 +10,18 @@ export default function EnforceMfa() {
   const { t } = useTranslation();
 
   return (
-    <>
+    <Group justify="space-between" wrap="nowrap" gap="xl">
-      <Title order={4} my="sm">
+      <div>
-        MFA
+        <Text size="md">{t("Enforce two-factor authentication")}</Text>
-      </Title>
+        <Text size="sm" c="dimmed">
-      <Group justify="space-between" wrap="nowrap" gap="xl">
+          {t(
-        <div>
+            "Once enforced, all members must enable two-factor authentication to access the workspace.",
-          <Text size="md">{t("Enforce two-factor authentication")}</Text>
+          )}
-          <Text size="sm" c="dimmed">
+        </Text>
-            {t(
+      </div>
-              "Once enforced, all members must enable two-factor authentication to access the workspace.",
-            )}
-          </Text>
-        </div>
 
-        <EnforceMfaToggle />
+      <EnforceMfaToggle />
-      </Group>
+    </Group>
-    </>
   );
 }
 

apps/client/src/ee/security/components/space-public-sharing-toggle.tsx

@@ -0,0 +1,84 @@
+import { Group, Text, Switch, Tooltip } from "@mantine/core";
+import { modals } from "@mantine/modals";
+import { useAtom } from "jotai";
+import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
+import React, { useState } from "react";
+import { useTranslation } from "react-i18next";
+import { ISpace } from "@/features/space/types/space.types.ts";
+import { useUpdateSpaceMutation } from "@/features/space/queries/space-query.ts";
+
+type SpacePublicSharingToggleProps = {
+  space: ISpace;
+};
+
+export default function SpacePublicSharingToggle({
+  space,
+}: SpacePublicSharingToggleProps) {
+  const { t } = useTranslation();
+  const [workspace] = useAtom(workspaceAtom);
+  const workspaceDisabled = workspace?.settings?.sharing?.disabled === true;
+  const [checked, setChecked] = useState(
+    space.settings?.sharing?.disabled === true,
+  );
+  const updateSpaceMutation = useUpdateSpaceMutation();
+
+  const applyChange = async (value: boolean) => {
+    try {
+      await updateSpaceMutation.mutateAsync({
+        spaceId: space.id,
+        disablePublicSharing: value,
+      });
+      setChecked(value);
+    } catch {
+      // error handled by mutation
+    }
+  };
+
+  const handleChange = (event: React.ChangeEvent<HTMLInputElement>) => {
+    const value = event.currentTarget.checked;
+
+    modals.openConfirmModal({
+      title: value ? t("Disable public sharing") : t("Enable public sharing"),
+      children: (
+        <Text size="sm">
+          {value
+            ? t(
+                "Are you sure you want to disable public sharing? All existing shared links in this space will be deleted.",
+              )
+            : t(
+                "Are you sure you want to enable public sharing for this space?",
+              )}
+        </Text>
+      ),
+      centered: true,
+      labels: { confirm: t("Confirm"), cancel: t("Cancel") },
+      confirmProps: value ? { color: "red" } : {},
+      onConfirm: () => applyChange(value),
+    });
+  };
+
+  return (
+    <Group justify="space-between" wrap="nowrap" gap="xl">
+      <div>
+        <Text size="md">{t("Disable public sharing")}</Text>
+        <Text size="sm" c="dimmed">
+          {workspaceDisabled
+            ? t("Public sharing is disabled at the workspace level")
+            : t("Prevent pages in this space from being shared publicly.")}
+        </Text>
+      </div>
+      <Tooltip
+        label={t("Public sharing is disabled at the workspace level")}
+        disabled={!workspaceDisabled}
+        refProp="rootRef"
+      >
+        <Switch
+          checked={checked}
+          onChange={handleChange}
+          disabled={workspaceDisabled}
+          aria-label={t("Toggle space public sharing")}
+        />
+      </Tooltip>
+    </Group>
+  );
+}

apps/client/src/ee/security/pages/security.tsx

@@ -9,15 +9,16 @@ import CreateSsoProvider from "@/ee/security/components/create-sso-provider.tsx"
 import EnforceSso from "@/ee/security/components/enforce-sso.tsx";
 import AllowedDomains from "@/ee/security/components/allowed-domains.tsx";
 import { useTranslation } from "react-i18next";
-import useLicense from "@/ee/hooks/use-license.tsx";
-import usePlan from "@/ee/hooks/use-plan.tsx";
 import EnforceMfa from "@/ee/security/components/enforce-mfa.tsx";
+import DisablePublicSharing from "@/ee/security/components/disable-public-sharing.tsx";
+import useEnterpriseAccess from "@/ee/hooks/use-enterprise-access.tsx";
+import { useIsCloudEE } from "@/hooks/use-is-cloud-ee.tsx";
 
 export default function Security() {
   const { t } = useTranslation();
   const { isAdmin } = useUserRole();
-  const { hasLicenseKey } = useLicense();
+  const hasEnterpriseAccess = useEnterpriseAccess();
-  const { isBusiness } = usePlan();
+  const isCloudEE = useIsCloudEE();
 
   if (!isAdmin) {
     return null;
@@ -30,26 +31,41 @@ export default function Security() {
       </Helmet>
       <SettingsTitle title={t("Security")} />
 
-      <AllowedDomains />
-
-      <Divider my="lg" />
-
       <EnforceMfa />
 
       <Divider my="lg" />
 
+      {(!isCloud() || hasEnterpriseAccess) && (
+        <>
+          <DisablePublicSharing />
+          <Divider my="lg" />
+        </>
+      )}
+
       <Title order={4} my="lg">
         Single sign-on (SSO)
       </Title>
 
-      {(isCloud() && isBusiness) || (!isCloud() && hasLicenseKey) ? (
+      {hasEnterpriseAccess && (
         <>
           <EnforceSso />
           <Divider my="lg" />
+        </>
+      )}
+
+      {isCloudEE && (
+        <>
+          <AllowedDomains />
+          <Divider my="lg" />
+        </>
+      )}
+
+      {hasEnterpriseAccess && (
+        <>
           <CreateSsoProvider />
           <Divider size={0} my="lg" />
         </>
-      ) : null}
+      )}
 
       <SsoProviderList />
     </>

apps/client/src/features/share/components/share-modal.tsx

@@ -26,6 +26,9 @@ import { getAppUrl, isCloud } from "@/lib/config.ts";
 import { buildPageUrl } from "@/features/page/page.utils.ts";
 import classes from "@/features/share/components/share.module.css";
 import useTrial from "@/ee/hooks/use-trial.tsx";
+import { useAtom } from "jotai";
+import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
+import { useSpaceQuery } from "@/features/space/queries/space-query.ts";
 
 interface ShareModalProps {
   readOnly: boolean;
@@ -40,6 +43,12 @@ export default function ShareModal({ readOnly }: ShareModalProps) {
   const { data: share } = useShareForPageQuery(pageId);
   const { spaceSlug } = useParams();
   const { isTrial } = useTrial();
+  const [workspace] = useAtom(workspaceAtom);
+  const { data: space } = useSpaceQuery(spaceSlug);
+  const workspaceDisabled =
+    workspace?.settings?.sharing?.disabled === true;
+  const spaceDisabled = space?.settings?.sharing?.disabled === true;
+  const sharingDisabled = workspaceDisabled || spaceDisabled;
   const createShareMutation = useCreateShareMutation();
   const updateShareMutation = useUpdateShareMutation();
   const deleteShareMutation = useDeleteShareMutation();
@@ -164,6 +173,20 @@ export default function ShareModal({ readOnly }: ShareModalProps) {
               {t("Upgrade Plan")}
             </Button>
           </>
+        ) : sharingDisabled ? (
+          <>
+            <Group justify="center" mb="sm">
+              <IconLock size={20} stroke={1.5} />
+            </Group>
+            <Text size="sm" ta="center" fw={500} mb="xs">
+              {t("Public sharing is disabled")}
+            </Text>
+            <Text size="sm" c="dimmed" ta="center">
+              {workspaceDisabled
+                ? t("Public sharing has been disabled at the workspace level.")
+                : t("Public sharing has been disabled for this space.")}
+            </Text>
+          </>
         ) : isDescendantShared ? (
           <>
             <Text size="sm">{t("Inherits public sharing from")}</Text>

apps/client/src/features/space/components/space-details.tsx

@@ -18,6 +18,8 @@ import {
   ResponsiveSettingsControl,
   ResponsiveSettingsRow,
 } from "@/components/ui/responsive-settings-row.tsx";
+import SpacePublicSharingToggle from "@/ee/security/components/space-public-sharing-toggle.tsx";
+import useEnterpriseAccess from "@/ee/hooks/use-enterprise-access.tsx";
 
 interface SpaceDetailsProps {
   spaceId: string;
@@ -26,6 +28,8 @@ interface SpaceDetailsProps {
 export default function SpaceDetails({ spaceId, readOnly }: SpaceDetailsProps) {
   const { t } = useTranslation();
   const { data: space, isLoading, refetch } = useSpaceQuery(spaceId);
+  const hasEnterpriseAccess = useEnterpriseAccess();
+  const showSharingToggle = !readOnly && hasEnterpriseAccess;
   const [exportOpened, { open: openExportModal, close: closeExportModal }] =
     useDisclosure(false);
   const [isIconUploading, setIsIconUploading] = useState(false);
@@ -77,7 +81,6 @@ export default function SpaceDetails({ spaceId, readOnly }: SpaceDetailsProps) {
               fallbackName={space.name}
               size={"60px"}
               variant="filled"
-
               type={AvatarIconType.SPACE_ICON}
               onUpload={handleIconUpload}
               onRemove={handleIconRemove}
@@ -88,6 +91,13 @@ export default function SpaceDetails({ spaceId, readOnly }: SpaceDetailsProps) {
 
           <EditSpaceForm space={space} readOnly={readOnly} />
 
+          {showSharingToggle && (
+            <>
+              <Divider my="lg" />
+              <SpacePublicSharingToggle space={space} />
+            </>
+          )}
+
           {!readOnly && (
             <>
               <Divider my="lg" />

apps/client/src/features/space/types/space.types.ts

@@ -5,6 +5,14 @@ import {
 } from "@/features/space/permissions/permissions.type.ts";
 import { ExportFormat } from "@/features/page/types/page.types.ts";
 
+export interface ISpaceSharingSettings {
+  disabled?: boolean;
+}
+
+export interface ISpaceSettings {
+  sharing?: ISpaceSharingSettings;
+}
+
 export interface ISpace {
   id: string;
   name: string;
@@ -18,6 +26,9 @@ export interface ISpace {
   memberCount?: number;
   spaceId?: string;
   membership?: IMembership;
+  settings?: ISpaceSettings;
+  // for updates
+  disablePublicSharing?: boolean;
 }
 
 interface IMembership {

apps/client/src/features/workspace/services/workspace-service.ts

@@ -42,7 +42,7 @@ export async function deleteWorkspaceMember(data: {
   await api.post("/workspace/members/delete", data);
 }
 
-export async function updateWorkspace(data: Partial<IWorkspace> & { aiSearch?: boolean }) {
+export async function updateWorkspace(data: Partial<IWorkspace>) {
   const req = await api.post<IWorkspace>("/workspace/update", data);
   return req.data;
 }
@@ -66,7 +66,9 @@ export async function createInvitation(data: ICreateInvite) {
   return req.data;
 }
 
-export async function acceptInvitation(data: IAcceptInvite): Promise<{ requiresLogin?: boolean; }> {
+export async function acceptInvitation(
+  data: IAcceptInvite,
+): Promise<{ requiresLogin?: boolean }> {
   const req = await api.post("/workspace/invites/accept", data);
   return req.data;
 }
@@ -108,4 +110,3 @@ export async function getAppVersion(): Promise<IVersion> {
   const req = await api.post("/version");
   return req.data;
 }
-

apps/client/src/features/workspace/types/workspace.types.ts

@@ -22,16 +22,23 @@ export interface IWorkspace {
   plan?: string;
   hasLicenseKey?: boolean;
   enforceMfa?: boolean;
+  aiSearch?: boolean;
+  disablePublicSharing?: boolean;
 }
 
 export interface IWorkspaceSettings {
   ai?: IWorkspaceAiSettings;
+  sharing?: IWorkspaceSharingSettings;
 }
 
 export interface IWorkspaceAiSettings {
   search?: boolean;
 }
 
+export interface IWorkspaceSharingSettings {
+  disabled?: boolean;
+}
+
 export interface ICreateInvite {
   role: string;
   emails: string[];

apps/server/package.json

@@ -92,9 +92,9 @@
     "pdfjs-dist": "^5.4.394",
     "pg-tsquery": "^8.4.2",
     "pgvector": "^0.2.1",
-    "postgres": "^3.4.8",
     "pino-http": "^11.0.0",
     "pino-pretty": "^13.1.3",
+    "postgres": "^3.4.8",
     "postmark": "^4.0.5",
     "react": "^18.3.1",
     "reflect-metadata": "^0.2.2",

apps/server/src/core/share/share.controller.ts

@@ -64,8 +64,18 @@ export class ShareController {
       throw new BadRequestException();
     }
 
+    const shareData = await this.shareService.getSharedPage(dto, workspace.id);
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      shareData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Shared page not found');
+    }
+
     return {
-      ...(await this.shareService.getSharedPage(dto, workspace.id)),
+      ...shareData,
       hasLicenseKey: hasLicenseOrEE({
         licenseKey: workspace.licenseKey,
         isCloud: this.environmentService.isCloud(),
@@ -86,6 +96,14 @@ export class ShareController {
       throw new NotFoundException('Share not found');
     }
 
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      share.workspaceId,
+      share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
     return share;
   }
 
@@ -127,6 +145,14 @@ export class ShareController {
       throw new ForbiddenException();
     }
 
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      page.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new ForbiddenException('Public sharing is disabled');
+    }
+
     return this.shareService.createShare({
       page,
       authUserId: user.id,
@@ -176,8 +202,21 @@ export class ShareController {
     @Body() dto: ShareIdDto,
     @AuthWorkspace() workspace: Workspace,
   ) {
+    const treeData = await this.shareService.getShareTree(
+      dto.shareId,
+      workspace.id,
+    );
+
+    const sharingAllowed = await this.shareService.isSharingAllowed(
+      workspace.id,
+      treeData.share.spaceId,
+    );
+    if (!sharingAllowed) {
+      throw new NotFoundException('Share not found');
+    }
+
     return {
-      ...(await this.shareService.getShareTree(dto.shareId, workspace.id)),
+      ...treeData,
       hasLicenseKey: hasLicenseOrEE({
         licenseKey: workspace.licenseKey,
         isCloud: this.environmentService.isCloud(),

apps/server/src/core/share/share.service.ts

@@ -264,6 +264,31 @@ export class ShareService {
     return ancestor;
   }
 
+  async isSharingAllowed(
+    workspaceId: string,
+    spaceId: string,
+  ): Promise<boolean> {
+    const result = await this.db
+      .selectFrom('workspaces')
+      .innerJoin('spaces', 'spaces.workspaceId', 'workspaces.id')
+      .select([
+        'workspaces.settings as workspaceSettings',
+        'spaces.settings as spaceSettings',
+      ])
+      .where('workspaces.id', '=', workspaceId)
+      .where('spaces.id', '=', spaceId)
+      .executeTakeFirst();
+
+    if (!result) return false;
+
+    const workspaceDisabled =
+      (result.workspaceSettings as any)?.sharing?.disabled === true;
+    const spaceDisabled =
+      (result.spaceSettings as any)?.sharing?.disabled === true;
+
+    return !workspaceDisabled && !spaceDisabled;
+  }
+
   async updatePublicAttachments(page: Page): Promise<any> {
     const prosemirrorJson = getProsemirrorContent(page.content);
     const attachmentIds = getAttachmentIds(prosemirrorJson);

apps/server/src/core/space/dto/update-space.dto.ts

@@ -1,10 +1,14 @@
 import { PartialType } from '@nestjs/mapped-types';
 import { CreateSpaceDto } from './create-space.dto';
-import { IsNotEmpty, IsString, IsUUID } from 'class-validator';
+import { IsBoolean, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
 
 export class UpdateSpaceDto extends PartialType(CreateSpaceDto) {
   @IsString()
   @IsNotEmpty()
   @IsUUID()
   spaceId: string;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }

apps/server/src/core/space/services/space.service.ts

@@ -1,5 +1,6 @@
 import {
   BadRequestException,
+  ForbiddenException,
   Injectable,
   NotFoundException,
 } from '@nestjs/common';
@@ -17,12 +18,18 @@ import { QueueJob, QueueName } from 'src/integrations/queue/constants';
 import { Queue } from 'bullmq';
 import { InjectQueue } from '@nestjs/bullmq';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';
+import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
 
 @Injectable()
 export class SpaceService {
   constructor(
     private spaceRepo: SpaceRepo,
     private spaceMemberService: SpaceMemberService,
+    private shareRepo: ShareRepo,
+    private workspaceRepo: WorkspaceRepo,
+    private licenseCheckService: LicenseCheckService,
     @InjectKysely() private readonly db: KyselyDB,
     @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
   ) {}
@@ -105,6 +112,31 @@ export class SpaceService {
       }
     }
 
+    if (typeof updateSpaceDto.disablePublicSharing !== 'undefined') {
+      const workspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(workspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.spaceRepo.updateSharingSettings(
+        updateSpaceDto.spaceId,
+        workspaceId,
+        'disabled',
+        updateSpaceDto.disablePublicSharing,
+      );
+
+      if (updateSpaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteBySpaceId(updateSpaceDto.spaceId);
+      }
+    }
+
     return await this.spaceRepo.updateSpace(
       {
         name: updateSpaceDto.name,

apps/server/src/core/workspace/dto/update-workspace.dto.ts

@@ -30,4 +30,8 @@ export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
   @IsOptional()
   @IsBoolean()
   generativeAi: boolean;
+
+  @IsOptional()
+  @IsBoolean()
+  disablePublicSharing: boolean;
 }

apps/server/src/core/workspace/services/workspace.service.ts

@@ -5,6 +5,7 @@ import {
   Logger,
   NotFoundException,
 } from '@nestjs/common';
+import { LicenseCheckService } from '../../../integrations/environment/license-check.service';
 import { CreateWorkspaceDto } from '../dto/create-workspace.dto';
 import { UpdateWorkspaceDto } from '../dto/update-workspace.dto';
 import { SpaceService } from '../../space/services/space.service';
@@ -33,6 +34,7 @@ import { Queue } from 'bullmq';
 import { generateRandomSuffixNumbers } from '../../../common/helpers';
 import { isPageEmbeddingsTableExists } from '@docmost/db/helpers/helpers';
 import { CursorPaginationResult } from '@docmost/db/pagination/cursor-pagination';
+import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 
 @Injectable()
 export class WorkspaceService {
@@ -47,6 +49,8 @@ export class WorkspaceService {
     private userRepo: UserRepo,
     private environmentService: EnvironmentService,
     private domainService: DomainService,
+    private licenseCheckService: LicenseCheckService,
+    private shareRepo: ShareRepo,
     @InjectKysely() private readonly db: KyselyDB,
     @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
     @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
@@ -358,6 +362,32 @@ export class WorkspaceService {
       delete updateWorkspaceDto.generativeAi;
     }
 
+    if (typeof updateWorkspaceDto.disablePublicSharing !== 'undefined') {
+      const currentWorkspace = await this.workspaceRepo.findById(workspaceId, {
+        withLicenseKey: true,
+      });
+
+      if (
+        !this.licenseCheckService.isValidEELicense(currentWorkspace.licenseKey)
+      ) {
+        throw new ForbiddenException(
+          'This feature requires a valid enterprise license',
+        );
+      }
+
+      await this.workspaceRepo.updateSharingSettings(
+        workspaceId,
+        'disabled',
+        updateWorkspaceDto.disablePublicSharing,
+      );
+
+      if (updateWorkspaceDto.disablePublicSharing) {
+        await this.shareRepo.deleteByWorkspaceId(workspaceId);
+      }
+
+      delete updateWorkspaceDto.disablePublicSharing;
+    }
+
     await this.workspaceRepo.updateWorkspace(updateWorkspaceDto, workspaceId);
 
     const workspace = await this.workspaceRepo.findById(workspaceId, {

apps/server/src/database/migrations/20260205T214213-add-settings-to-spaces.ts

@@ -0,0 +1,9 @@
+import { Kysely } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema.alterTable('spaces').addColumn('settings', 'jsonb').execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.alterTable('spaces').dropColumn('settings').execute();
+}

apps/server/src/database/repos/share/share.repo.ts

@@ -136,6 +136,20 @@ export class ShareRepo {
     await query.execute();
   }
 
+  async deleteBySpaceId(spaceId: string): Promise<void> {
+    await this.db
+      .deleteFrom('shares')
+      .where('spaceId', '=', spaceId)
+      .execute();
+  }
+
+  async deleteByWorkspaceId(workspaceId: string): Promise<void> {
+    await this.db
+      .deleteFrom('shares')
+      .where('workspaceId', '=', workspaceId)
+      .execute();
+  }
+
   async getShares(userId: string, pagination: PaginationOptions) {
     const query = this.db
       .selectFrom('shares')

apps/server/src/database/repos/space/space.repo.ts

@@ -89,6 +89,26 @@ export class SpaceRepo {
       .executeTakeFirst();
   }
 
+  async updateSharingSettings(
+    spaceId: string,
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+  ) {
+    return this.db
+      .updateTable('spaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+          || jsonb_build_object('sharing', COALESCE(settings->'sharing', '{}'::jsonb)
+          || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', spaceId)
+      .where('workspaceId', '=', workspaceId)
+      .returningAll()
+      .executeTakeFirst();
+  }
+
   async insertSpace(
     insertableSpace: InsertableSpace,
     trx?: KyselyTransaction,

apps/server/src/database/repos/workspace/workspace.repo.ts

@@ -167,7 +167,7 @@ export class WorkspaceRepo {
       .updateTable('workspaces')
       .set({
         settings: sql`COALESCE(settings, '{}'::jsonb)
-                || jsonb_build_object('api', COALESCE(settings->'api', '{}'::jsonb) 
+                || jsonb_build_object('api', COALESCE(settings->'api', '{}'::jsonb)
                 || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
         updatedAt: new Date(),
       })
@@ -185,7 +185,25 @@ export class WorkspaceRepo {
       .updateTable('workspaces')
       .set({
         settings: sql`COALESCE(settings, '{}'::jsonb)
-                || jsonb_build_object('ai', COALESCE(settings->'ai', '{}'::jsonb) 
+                || jsonb_build_object('ai', COALESCE(settings->'ai', '{}'::jsonb)
+                || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
+        updatedAt: new Date(),
+      })
+      .where('id', '=', workspaceId)
+      .returning(this.baseFields)
+      .executeTakeFirst();
+  }
+
+  async updateSharingSettings(
+    workspaceId: string,
+    prefKey: string,
+    prefValue: string | boolean,
+  ) {
+    return this.db
+      .updateTable('workspaces')
+      .set({
+        settings: sql`COALESCE(settings, '{}'::jsonb)
+                || jsonb_build_object('sharing', COALESCE(settings->'sharing', '{}'::jsonb)
                 || jsonb_build_object('${sql.raw(prefKey)}', ${sql.lit(prefValue)}))`,
         updatedAt: new Date(),
       })

apps/server/src/database/types/db.d.ts

@@ -273,6 +273,7 @@ export interface Spaces {
   id: Generated<string>;
   logo: string | null;
   name: string | null;
+  settings: Json | null;
   slug: string;
   updatedAt: Generated<Timestamp>;
   visibility: Generated<string>;

apps/server/src/integrations/environment/environment.module.ts

@@ -4,6 +4,7 @@ import { ConfigModule } from '@nestjs/config';
 import { validate } from './environment.validation';
 import { envPath } from '../../common/helpers';
 import { DomainService } from './domain.service';
+import { LicenseCheckService } from './license-check.service';
 
 @Global()
 @Module({
@@ -15,7 +16,7 @@ import { DomainService } from './domain.service';
       validate,
     }),
   ],
-  providers: [EnvironmentService, DomainService],
+  providers: [EnvironmentService, DomainService, LicenseCheckService],
-  exports: [EnvironmentService, DomainService],
+  exports: [EnvironmentService, DomainService, LicenseCheckService],
 })
 export class EnvironmentModule {}

apps/server/src/integrations/environment/license-check.service.ts

@@ -0,0 +1,28 @@
+import { Injectable } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { EnvironmentService } from './environment.service';
+
+@Injectable()
+export class LicenseCheckService {
+  constructor(
+    private moduleRef: ModuleRef,
+    private environmentService: EnvironmentService,
+  ) {}
+
+  isValidEELicense(licenseKey: string): boolean {
+    if (this.environmentService.isCloud()) {
+      return true;
+    }
+
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      const LicenseModule = require('../../ee/licence/license.service');
+      const licenseService = this.moduleRef.get(LicenseModule.LicenseService, {
+        strict: false,
+      });
+      return licenseService.isValidEELicense(licenseKey);
+    } catch {
+      return false;
+    }
+  }
+}