Merge pull request #50 from SADiLaR/feature/document_upload_check

added magic to check mime_type

Dockerfile

@@ -12,6 +12,7 @@ WORKDIR /app
 COPY requirements.txt /app/
 
 RUN apt-get update && apt-get -y upgrade
+RUN apt-get install libmagic1 -y
 
 # Install dependencies
 RUN pip install --upgrade pip

Dockerfile-dev

@@ -14,6 +14,7 @@ COPY requirements.txt /app/
 COPY requirements-dev.txt /app/
 
 RUN apt-get update && apt-get -y upgrade
+RUN apt-get install libmagic1 -y
 RUN apt-get install --no-install-recommends -y graphviz graphviz-dev
 
 # Install dependencies

README.md

@@ -10,38 +10,49 @@ About the project:
 - Docker-compose
 - Makefile reader installed on device
 
+---
+
 ## Installations guide
 
 ### Using Docker-compose
 
 1. docker-compose up --build
 2. docker-compose down
 
+---
+
 ### Using Makefile
 
 1. Clone the repository
 2. Run `make build` to build the docker image
 3. Run `make run` to run the docker container
 4. Run `make stop` to stop the docker container
 
-## Production
+---
 
 ### Plugins installed
 
 #### Django Simple History
 
-https://django-simple-history.readthedocs.io/en/latest/
+* https://django-simple-history.readthedocs.io/en/latest/
+
+#### python-magic
+
+* https://pypi.org/project/python-magic/
+
+---
+
+## Production
 
 #### Basic setup for production
 
 ### environment variables
 
 please use .env.example as example
 
-
 ## Production Information
 
 Docker Volumes for production:
 
-/media
-/logging
+* /media
+* /logging

app/general/admin.py

@@ -1,7 +1,6 @@
-import mimetypes
-
+import magic
 from django.contrib import admin
-from django.forms import HiddenInput, ModelForm, fields_for_model
+from django.forms import HiddenInput, ModelForm
 from simple_history.admin import SimpleHistoryAdmin
 
 from .models import DocumentFile, Institution, Language, Project, Subject
@@ -26,10 +25,14 @@ def clean(self):
         url = cleaned_data.get("url", "")
         uploaded_file = cleaned_data.get("uploaded_file", "")
 
-        if cleaned_data["mime_type"] is not None:
-            cleaned_data["mime_type"] = (
-                mimetypes.guess_type(uploaded_file.name)[0] if uploaded_file else ""
-            )
+        if uploaded_file:
+            file_type = magic.from_buffer(uploaded_file.read(), mime=True)
+            if file_type != "application/pdf":
+                self.add_error("uploaded_file", "Only PDF files are allowed.")
+
+            cleaned_data["mime_type"] = file_type
+
+            uploaded_file.seek(0)  # Reset file pointer after read
 
         if not url and not uploaded_file:
             self.add_error("url", "Either URL or uploaded file must be provided.")

app/general/tests/test_document_admin_file.py

@@ -1,5 +1,4 @@
 import unittest
-from unittest.mock import Mock
 
 from django.core.files.uploadedfile import SimpleUploadedFile
 
@@ -8,10 +7,14 @@
 
 
 class TestDocumentFileForm(unittest.TestCase):
+    def __init__(self, methodName: str = "runTest"):
+        super().__init__(methodName)
+        self.form = None
+
     def setUp(self):
-        self.file_mock = Mock(spec=SimpleUploadedFile)
-        self.file_mock.name = "test.pdf"
-        self.file_mock.size = 5242880
+        pdf_file = b"%PDF-1.1 0 obj<</Pages 2 0 R>>endobj2 0 obj<</Kids[3 0 R]/Count 1>>endobj3 0 obj<</Parent 2 0 R>>endobjtrailer <</Root 1 0 R>>"
+
+        self.file_mock = SimpleUploadedFile("test.pdf", pdf_file, content_type="application/pdf")
 
     def test_clean_without_url_and_file(self):
         tests_form = {
@@ -57,7 +60,6 @@ def test_clean_without_url(self):
         }
 
         form = DocumentFileForm(tests_form, files={"uploaded_file": self.file_mock})
-
         self.assertTrue(form.is_valid())
 
     def test_clean_with_large_file(self):

requirements.txt

@@ -5,3 +5,4 @@ gunicorn
 psycopg2-binary
 whitenoise
 pillow
+python-magic