Harden uploads and enforce language-prefixed routes

claims/tests.py

@@ -1,3 +1,67 @@
-from django.test import TestCase
+from django.core.exceptions import ValidationError
+from django.core.files.uploadedfile import SimpleUploadedFile
+from django.test import TestCase, override_settings
 
-# Create your tests here.
+from .validators import validate_receipt_file
+from .views import SubmitClaimView
+
+
+class ReceiptValidatorTests(TestCase):
+    def test_accepts_valid_pdf(self):
+        file_obj = SimpleUploadedFile(
+            "receipt.pdf",
+            b"%PDF-1.4\nsample",
+            content_type="application/pdf",
+        )
+        try:
+            validate_receipt_file(file_obj)
+        except ValidationError as exc:  # pragma: no cover - explicit failure message
+            self.fail(f"Valid PDF rejected: {exc}")
+
+    def test_rejects_disallowed_extension(self):
+        file_obj = SimpleUploadedFile(
+            "script.exe",
+            b"MZ fake exe",
+            content_type="application/octet-stream",
+        )
+        with self.assertRaises(ValidationError):
+            validate_receipt_file(file_obj)
+
+    @override_settings(CLAIMS_MAX_RECEIPT_BYTES=1024)
+    def test_rejects_too_large_file(self):
+        big_payload = b"%PDF-1.4\n" + b"a" * 2048
+        file_obj = SimpleUploadedFile(
+            "large.pdf",
+            big_payload,
+            content_type="application/pdf",
+        )
+        with self.assertRaises(ValidationError):
+            validate_receipt_file(file_obj)
+
+    def test_rejects_signature_mismatch(self):
+        file_obj = SimpleUploadedFile(
+            "fake.pdf",
+            b"\x89PNG\r\n\x1a\nnot a pdf",
+            content_type="application/pdf",
+        )
+        with self.assertRaises(ValidationError):
+            validate_receipt_file(file_obj)
+
+
+class ClaimFormsetLimitTests(TestCase):
+    def test_default_formset_has_single_row(self):
+        view = SubmitClaimView()
+        formset = view.build_formset(extra=1)
+        self.assertEqual(formset.total_form_count(), 1)
+
+    def test_cannot_submit_more_than_max_forms(self):
+        view = SubmitClaimView()
+        data = {
+            "claim_lines-TOTAL_FORMS": "6",
+            "claim_lines-INITIAL_FORMS": "0",
+            "claim_lines-MIN_NUM_FORMS": "1",
+            "claim_lines-MAX_NUM_FORMS": "5",
+        }
+        formset = view.build_formset(data=data)
+        self.assertFalse(formset.is_valid())
+        self.assertTrue(formset.non_form_errors())