Harden uploads and enforce language-prefixed routes

2025-11-09 10:03:23 +01:00
parent 3835be3c17
commit 79f5cb8ff3
10 changed files with 263 additions and 66 deletions
--- a/claims_system/settings.py
+++ b/claims_system/settings.py
@@ -12,6 +12,7 @@ https://docs.djangoproject.com/en/5.2/ref/settings/

 import os
 from pathlib import Path
+from django.urls import reverse_lazy

 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -130,8 +131,8 @@ STATIC_URL = 'static/'
 MEDIA_URL = '/media/'
 MEDIA_ROOT = BASE_DIR / 'media'

-LOGIN_REDIRECT_URL = '/claims/admin/'
-LOGOUT_REDIRECT_URL = '/accounts/login/'
+LOGIN_REDIRECT_URL = reverse_lazy('claims:admin-list')
+LOGOUT_REDIRECT_URL = reverse_lazy('login')

 os.environ.setdefault("CLAIMS_ENABLE_INTERNAL_PAYMENTS", "true")
 CLAIMS_ENABLE_INTERNAL_PAYMENTS = os.getenv("CLAIMS_ENABLE_INTERNAL_PAYMENTS", "true").lower() in {"1", "true", "yes"}
@@ -148,6 +149,18 @@ CLAIMS_EMAIL_ENABLED = os.getenv("CLAIMS_EMAIL_ENABLED", "false").lower() in {"1
 CLAIMS_EMAIL_FROM = os.getenv("CLAIMS_EMAIL_FROM", "no-reply@claims.local")
 CLAIMS_ADMIN_NOTIFICATION_EMAIL = os.getenv("CLAIMS_ADMIN_NOTIFICATION_EMAIL", "")

+CLAIMS_MAX_RECEIPT_BYTES = int(os.getenv("CLAIMS_MAX_RECEIPT_BYTES", str(10 * 1024 * 1024)))
+CLAIMS_ALLOWED_RECEIPT_EXTENSIONS = tuple(
+    ext.strip().lower()
+    for ext in os.getenv("CLAIMS_ALLOWED_RECEIPT_EXTENSIONS", "pdf,png,jpg,jpeg").split(",")
+    if ext.strip()
+)
+CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES = tuple(
+    ct.strip().lower()
+    for ct in os.getenv("CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES", "application/pdf,image/png,image/jpeg").split(",")
+    if ct.strip()
+)
+
 # Default primary key field type
 # https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field

--- a/claims_system/urls.py
+++ b/claims_system/urls.py
@@ -16,17 +16,22 @@ Including another URLconf
 """
 from django.conf import settings
 from django.conf.urls.static import static
+from django.conf.urls.i18n import i18n_patterns
 from django.contrib import admin
 from django.urls import include, path
 from django.views.generic import RedirectView

 urlpatterns = [
-    path('admin/', admin.site.urls),
-    path('claims/', include('claims.urls')),
-    path('accounts/', include('django.contrib.auth.urls')),
    path('i18n/', include('django.conf.urls.i18n')),
-    path('', RedirectView.as_view(pattern_name='claims:submit', permanent=False)),
+    path('', RedirectView.as_view(url=f'/{settings.LANGUAGE_CODE}/', permanent=False)),
 ]

+urlpatterns += i18n_patterns(
+    path('admin/', admin.site.urls),
+    path('accounts/', include('django.contrib.auth.urls')),
+    path('claims/', include('claims.urls')),
+    path('', RedirectView.as_view(pattern_name='claims:submit', permanent=False)),
+)
+
 if settings.DEBUG:
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)