Harden uploads and enforce language-prefixed routes

claims/models.py

@@ -5,6 +5,8 @@ from django.core.files.storage import default_storage
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
+from .validators import validate_receipt_file
+
 
 class Project(models.Model):
     name = models.CharField(max_length=255)
@@ -51,7 +53,12 @@ class Claim(models.Model):
     )
     description = models.TextField(help_text=_("Describe what the reimbursement is for"))
     account_number = models.CharField(max_length=50)
-    receipt = models.FileField(upload_to="receipts/", blank=True, null=True)
+    receipt = models.FileField(
+        upload_to="receipts/",
+        blank=True,
+        null=True,
+        validators=[validate_receipt_file],
+    )
     project = models.ForeignKey(
         Project,
         null=True,
@@ -141,23 +148,3 @@ class ClaimLog(models.Model):
     def __str__(self):
         return f"{self.get_action_display()} ({self.created_at:%Y-%m-%d %H:%M})"
 
-
-class SystemSetting(models.Model):
-    internal_payments_enabled = models.BooleanField(default=True)
-    updated_at = models.DateTimeField(auto_now=True)
-
-    class Meta:
-        verbose_name = "Systeminställning"
-        verbose_name_plural = "Systeminställningar"
-
-    def __str__(self):
-        return "Systeminställningar"
-
-    @classmethod
-    def get_solo(cls):
-        obj, _ = cls.objects.get_or_create(pk=1)
-        return obj
-
-    @classmethod
-    def internal_payments_active(cls):
-        return cls.get_solo().internal_payments_enabled