assets: check file extension on overwrite (#30897)

2019-10-15 10:44:26 +02:00 · 2019-10-15 10:44:26 +02:00 · beefe2c348
parent ef58cc3235
commit beefe2c348
2 changed files with 30 additions and 3 deletions
--- a/combo/apps/assets/views.py
+++ b/combo/apps/assets/views.py
@ -174,6 +174,17 @@ class AssetOverwrite(FormView):
            raise PermissionDenied()

        upload = self.request.FILES['upload']
+
+        # check that the new file and the original have the same extension
+        ext_orig = os.path.splitext(img_orig)[1].lower()
+        ext_upload = os.path.splitext(upload.name)[1].lower()
+        if ext_orig != ext_upload:
+            messages.error(
+                self.request,
+                _('You have to upload a file with the same extension (%(ext)s).')
+                % {'ext': ext_orig})
+            return super(AssetOverwrite, self).form_valid(form)
+
        default_storage.delete(img_orig)
        if getattr(settings, 'CKEDITOR_IMAGE_BACKEND', None):
            thumb = ckeditor.utils.get_thumb_filename(img_orig)
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@ -769,9 +769,11 @@ def test_asset_management(app, admin_user):

    # check overwriting
    resp = resp.click('Overwrite')
-    resp.form['upload'] = Upload('test.png',
-            base64.decodestring(b'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQI12NgAgAABAADRWoApgAA\nAABJRU5ErkJggg=='),
-            'image/png')
+    # test with the same extension but uppercased
+    resp.form['upload'] = Upload(
+        'test.PNG',
+        base64.decodestring(b'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQI12NgAgAABAADRWoApgAA\nAABJRU5ErkJggg=='),
+        'image/png')
    resp = resp.form.submit().follow()

    resp.click('test.png')
@ -780,6 +782,20 @@ def test_asset_management(app, admin_user):
    thumbnail_contents_new = open(thumbnail_path, mode='rb').read()
    assert thumbnail_contents_new != thumbnail_contents

+    # try to overwrite with a different mimetype
+    resp = resp.click('Overwrite')
+    resp.form['upload'] = Upload(
+        'test.pdf',
+        base64.decodestring(b'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQI12NgAgAABAADRWoApgAA\nAABJRU5ErkJggg=='),
+        'application/pdf')
+    with mock.patch('combo.apps.assets.views.default_storage.delete') as mock_delete:
+        resp = resp.form.submit().follow()
+    # original file was not deleted
+    assert mock_delete.call_args_list == []
+    messages = resp.context['messages']
+    assert len(messages._loaded_messages) == 1
+    assert messages._loaded_messages[0].message == 'You have to upload a file with the same extension (.png).'
+
    # test deletion
    resp = resp.click('Delete')
    assert 'Are you sure you want to delete' in resp.text