back check for additional file extension restrictions

yverdon · May 21, 2024 · 8b76b49 · 8b76b49
1 parent 9bf8bb3
commit 8b76b49
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/geocity/apps/submissions/models.py b/geocity/apps/submissions/models.py
@@ -726,6 +726,7 @@ def set_field_value(self, form, field, value):
             existing_value_obj.delete()
         else:
             if is_file:
+
                 # Use private storage to prevent uploaded files exposition to the outside world
                 private_storage = fields.PrivateFileSystemStorage()
                 # If the given File has a `url` attribute, it means the value comes from the `initial` form data, so the
@@ -758,7 +759,21 @@ def set_field_value(self, form, field, value):
                     directory, "{}_{}_{}{}".format(form.pk, field.pk, file_uuid, ext)
                 )
 
+                # Check that extension is allowed in field configuration if additional restriction is defined in admin
+                if field.allowed_file_types:
+                    if upper_ext not in field.allowed_file_types.upper():
+                        logger.warning(
+                            f"Attempt to upload unauthorized file type  for file ({value.name})"
+                        )
+                        # FIXME: send the validation error correctly to the form as this will in fact only raise a generic error to the user
+                        raise ValidationError(
+                            _(
+                                f"L'extension du fichier n'est pas autorisé pour ce document"
+                            )
+                        )
+
                 private_storage.save(path, value)
+
                 # Postprocess images: remove all exif metadata from for better security and user privacy
                 if upper_ext != "PDF":
                     upper_ext = ext[1:].upper()