✨(backend) allow uploading more types of attachments

We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
parent a9f08df566
commit e8d95facdf
7 changed files with 229 additions and 50 deletions
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -1,6 +1,5 @@
 """API endpoints"""

-import os
 import re
 import uuid
 from urllib.parse import urlparse
@@ -476,15 +475,22 @@ class DocumentViewSet(
            return drf_response.Response(
                serializer.errors, status=status.HTTP_400_BAD_REQUEST
            )
-        # Extract the file extension from the original filename
-        file = serializer.validated_data["file"]
-        extension = os.path.splitext(file.name)[1]

        # Generate a generic yet unique filename to store the image in object storage
        file_id = uuid.uuid4()
-        key = f"{document.key_base}/{ATTACHMENTS_FOLDER:s}/{file_id!s}{extension:s}"
+        extension = serializer.validated_data["expected_extension"]
+        key = f"{document.key_base}/{ATTACHMENTS_FOLDER:s}/{file_id!s}.{extension:s}"
+
+        # Prepare metadata for storage
+        metadata = {"Metadata": {"owner": str(request.user.id)}}
+        if serializer.validated_data["is_unsafe"]:
+            metadata["Metadata"]["is_unsafe"] = "true"
+
+        file = serializer.validated_data["file"]
+        default_storage.connection.meta.client.upload_fileobj(
+            file, default_storage.bucket_name, key, ExtraArgs=metadata
+        )

-        default_storage.save(key, file)
        return drf_response.Response(
            {"file": f"{settings.MEDIA_URL:s}{key:s}"}, status=status.HTTP_201_CREATED
        )