Harden uploads and enforce language-prefixed routes

2025-11-09 10:03:23 +01:00
parent 3835be3c17
commit 79f5cb8ff3
10 changed files with 263 additions and 66 deletions
--- a/claims/views.py
+++ b/claims/views.py
@@ -20,7 +20,7 @@ from .forms import (
    UserPermissionForm,
 )
 from .email_utils import notify_admin_of_claim, send_claimant_confirmation_email
-from .models import Claim, ClaimLog, SystemSetting
+from .models import Claim, ClaimLog

 User = get_user_model()

@@ -31,17 +31,21 @@ class SubmitClaimView(View):

    def get_extra_forms(self):
        try:
-            count = int(self.request.GET.get("forms", 2))
+            count = int(self.request.GET.get("forms", 1))
        except (TypeError, ValueError):
-            count = 2
+            count = 1
        return max(1, min(count, self.max_extra_forms))

    def build_formset(self, *, data=None, files=None, extra=0):
+        extra_forms = max(0, extra - 1)
        FormSet = formset_factory(
            ClaimLineForm,
-            extra=extra,
+            extra=extra_forms,
            min_num=1,
+            max_num=self.max_extra_forms,
+            absolute_max=self.max_extra_forms,
            validate_min=True,
+            validate_max=True,
        )
        return FormSet(data=data, files=files, prefix="claim_lines")

@@ -154,7 +158,7 @@ class ClaimAdminListView(LoginRequiredMixin, PermissionRequiredMixin, ListView):
        context["status_choices"] = Claim.Status.choices
        context["decision_choices"] = ClaimDecisionForm().fields["action"].choices
        context["can_change"] = self.request.user.has_perm("claims.change_claim")
-        context["payments_enabled"] = SystemSetting.internal_payments_active()
+        context["payments_enabled"] = getattr(settings, "CLAIMS_ENABLE_INTERNAL_PAYMENTS", False)
        return context

    def post(self, request, *args, **kwargs):
@@ -202,7 +206,7 @@ class ClaimAdminListView(LoginRequiredMixin, PermissionRequiredMixin, ListView):
        return redirect(request.get_full_path())

    def _handle_payment(self, request):
-        if not SystemSetting.internal_payments_active():
+        if not getattr(settings, "CLAIMS_ENABLE_INTERNAL_PAYMENTS", False):
            messages.error(request, _("Betalningshantering är inte aktiverad."))
            return redirect(request.get_full_path())
        if not request.user.has_perm("claims.change_claim"):