Harden uploads and enforce language-prefixed routes

2025-11-09 10:03:23 +01:00
parent 3835be3c17
commit 79f5cb8ff3
10 changed files with 263 additions and 66 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -22,7 +22,7 @@ Bygg ett webbaserat system för hantering av utlägg (”claims”) åt en organ
 10. Claims ska kopplas till ett projekt/evenemang; projekten hanteras via Django admin.
 11. Offentliga sidor ska använda Tailwind-baserade komponenter (CDN är okej) med minimalistisk layout. Claim-formuläret ska erbjuda klient-side kontroll för antal rader (plus/minus) utan sidladdning och återanvända formsetets tomma form som mall.
 12. Adminvyn för claims ska spegla samma designprinciper (kort per claim, statuschippar, loggtimeline och inlinebeslut).
-13. Hantering av utbetalningar i UI är bakom flaggan `CLAIMS_ENABLE_INTERNAL_PAYMENTS` och kan även togglas via Django admin (modell `SystemSetting`). När den är på ska godkända claims få en summeringssektion med tydlig info (namn, belopp, kontonr) och en "Betala"-knapp som markerar posten som betald (med logg och markerad betalstatus). När flaggan är av saknas knappen och admins instrueras att hantera betalning externt.
+13. Hantering av utbetalningar i UI är bakom flaggan `CLAIMS_ENABLE_INTERNAL_PAYMENTS` (styrd via miljövariabel). När den är på ska godkända claims få en summeringssektion med tydlig info (namn, belopp, kontonr) och en "Betala"-knapp som markerar posten som betald (med logg och markerad betalstatus). När flaggan är av saknas knappen och admins instrueras att hantera betalning externt.
 14. När ett utlägg markerats som betalt ska beslut/status vara låst (ingen uppdatering av kommentar eller status i UI eller Django admin). Reset av betalstatus sker endast via admin-knappen.
 15. Filuppladdningar ska alltid få säkra, unika namn (UUID i `receipts/`), och originalnamn ska inte exponeras.
 16. För e-postaviseringar: använd `CLAIMS_EMAIL_ENABLED` (default false) och miljövariablerna `EMAIL_HOST`, `EMAIL_PORT`, `EMAIL_USE_TLS`, `EMAIL_HOST_USER`, `EMAIL_HOST_PASSWORD`, `CLAIMS_EMAIL_FROM`, `CLAIMS_ADMIN_NOTIFICATION_EMAIL`. När flaggan är av ska koden inte försöka skicka mejl (men gärna logga att aviseringar är inaktiverade).
--- a/README.md
+++ b/README.md
@@ -10,14 +10,14 @@ Modern Django/Tailwind-baserad portal för att ta emot, granska och betala utlä
 3. `uv run python manage.py createsuperuser`
 4. `uv run python manage.py runserver`
-Nyckel-URLer (default):
+Nyckel-URLer (språkprefixed):
- Offentligt formulär `GET /claims/new/`
+- Offentligt formulär `GET /sv/claims/new/` eller `/en/claims/new/`
- Bekräftelsesida `GET /claims/submitted/`
+- Bekräftelsesida `GET /sv/claims/submitted/`
- Adminlista `GET /claims/admin/`
+- Adminlista `GET /sv/claims/admin/`
- Mina utlägg `GET /claims/mine/`
+- Mina utlägg `GET /sv/claims/mine/`
- Användarhantering `GET /claims/users/`
+- Användarhantering `GET /sv/claims/users/`
- Export-placeholder `GET /claims/export/`
+- Export-placeholder `GET /sv/claims/export/`
- Auth `GET /accounts/login|logout/`
+- Auth `GET /sv/accounts/login|logout/`
 ---
@@ -48,16 +48,19 @@ Nyckel-URLer (default):
 ### 4. Viktiga inställningar
 | Variabel | Default | Beskrivning |
 | --- | --- | --- |
-| `CLAIMS_ENABLE_INTERNAL_PAYMENTS` | `true` | Styr “Betala”-flödet. Kan också togglas i Django admin > Systeminställningar. |
+| `CLAIMS_ENABLE_INTERNAL_PAYMENTS` | `true` | Styr “Betala”-flödet. Aktiveras endast via miljövariabel. |
 | `CLAIMS_EMAIL_ENABLED` | `false` | Slår på e-postaviseringar. Låt vara `false` i testläge. |
 | `CLAIMS_EMAIL_FROM` | `no-reply@claims.local` | Avsändare för utskick. |
 | `CLAIMS_ADMIN_NOTIFICATION_EMAIL` | tom | Om satt skickas notifiering vid nytt claim (när e-post är aktiverad). |
 | `EMAIL_BACKEND` | `django.core.mail.backends.console.EmailBackend` | Byt till SMTP i prod (se nedan). |
 | `EMAIL_HOST`, `EMAIL_PORT`, `EMAIL_USE_TLS`, `EMAIL_HOST_USER`, `EMAIL_HOST_PASSWORD` | tom | Standard Django SMTP-inställningar. |
 | `CLAIMS_MAX_RECEIPT_BYTES` | `10485760` | Maxstorlek per kvitto (i byte), default 10 MB. |
 | `CLAIMS_ALLOWED_RECEIPT_EXTENSIONS` | `pdf,png,jpg,jpeg` | Tillåtna filändelser (kommaseparerade). |
 | `CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES` | `application/pdf,image/png,image/jpeg` | Tillåtna MIME-typer (kommaseparerade). |
 | `LANGUAGE_CODE` | `sv` | Standardspråk. |
 | `LOCALE_PATHS` | `BASE_DIR/locale` | Katalog för `.po/.mo`. |
-| `LOGIN_REDIRECT_URL` | `/claims/admin/` | Efter inloggning. |
+| `LOGIN_REDIRECT_URL` | `claims:admin-list` | Lazy reverse till `/[lang]/claims/admin/` efter inloggning. |
-| `LOGOUT_REDIRECT_URL` | `/accounts/login/` | Efter utloggning. |
+| `LOGOUT_REDIRECT_URL` | `login` | Lazy reverse till `/[lang]/accounts/login/` efter utloggning. |
 SMTP-exempel:
 ```env
@@ -76,7 +79,7 @@ EMAIL_HOST_PASSWORD=secret
 ### 5. Underhåll & verktyg
 - **Reset claims:** `uv run python manage.py reset_claims` (bekräfta med `ja` eller använd `--noinput`). Tar bort alla claims/loggar/kvitton men lämnar användarkonton.
- **Django admin:** `/admin/` används för projekt, grupper, superusers, SystemSetting mm. Staff-användare har automatiskt åtkomst.
+- **Django admin:** `/admin/` används för projekt, grupper och superusers. Staff-användare har automatiskt åtkomst.
 - **Testa konfiguration:** `uv run python manage.py check`.
 - **Språkreset:** Rensa cookies om språkväljaren inte byter språk (Django använder `django_language` cookien).
--- a/claims/admin.py
+++ b/claims/admin.py
@@ -1,11 +1,10 @@
 from django.conf import settings
 from django.contrib import admin
 from django.shortcuts import redirect
 from django.urls import path, reverse
 from django.utils import timezone
 from django.utils.html import format_html
-from .models import Claim, ClaimLog, Project, SystemSetting
+from .models import Claim, ClaimLog, Project
 class ClaimLogInline(admin.TabularInline):
@@ -20,7 +19,7 @@ class ClaimAdmin(admin.ModelAdmin):
    list_display = ("full_name", "amount", "currency", "project", "status", "paid", "created_at", "submitted_by")
    list_filter = ("status", "created_at", "project", "paid_at")
    search_fields = ("full_name", "email", "description")
-    base_readonly = ("created_at", "updated_at", "paid_at", "paid_by", "internal_payments_enabled", "reset_paid_button")
+    base_readonly = ("created_at", "updated_at", "paid_at", "paid_by", "reset_paid_button")
    readonly_fields = base_readonly
    inlines = [ClaimLogInline]
    actions = ("mark_as_paid", "mark_as_unpaid")
@@ -29,10 +28,6 @@ class ClaimAdmin(admin.ModelAdmin):
    def paid(self, obj):
        return obj.is_paid
    @admin.display(description="Intern betalningshantering på?")
    def internal_payments_enabled(self, obj):
        return SystemSetting.internal_payments_active()
    @admin.display(description="Återställ betalning")
    def reset_paid_button(self, obj):
        if not obj.is_paid:
@@ -115,17 +110,6 @@ class ClaimAdmin(admin.ModelAdmin):
        return self.base_readonly
@admin.register(SystemSetting)
 class SystemSettingAdmin(admin.ModelAdmin):
    list_display = ("internal_payments_enabled", "updated_at")
    list_display_links = ("updated_at",)
    list_editable = ("internal_payments_enabled",)
    actions = None
    def has_add_permission(self, request):
        return not SystemSetting.objects.exists()
@admin.register(ClaimLog)
 class ClaimLogAdmin(admin.ModelAdmin):
    list_display = ("claim", "action", "from_status", "to_status", "performed_by", "created_at")
--- a/claims/migrations/0007_delete_systemsetting_alter_claim_receipt.py
+++ b/claims/migrations/0007_delete_systemsetting_alter_claim_receipt.py
@@ -0,0 +1,22 @@
 # Generated by Django 5.2.8 on 2025-11-09 02:06
 import claims.validators
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('claims', '0006_systemsetting'),
    ]
    operations = [
        migrations.DeleteModel(
            name='SystemSetting',
        ),
        migrations.AlterField(
            model_name='claim',
            name='receipt',
            field=models.FileField(blank=True, null=True, upload_to='receipts/', validators=[claims.validators.validate_receipt_file]),
        ),
    ]
--- a/claims/models.py
+++ b/claims/models.py
@@ -5,6 +5,8 @@ from django.core.files.storage import default_storage
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from .validators import validate_receipt_file
 class Project(models.Model):
    name = models.CharField(max_length=255)
@@ -51,7 +53,12 @@ class Claim(models.Model):
    )
    description = models.TextField(help_text=_("Describe what the reimbursement is for"))
    account_number = models.CharField(max_length=50)
-    receipt = models.FileField(upload_to="receipts/", blank=True, null=True)
+    receipt = models.FileField(
        upload_to="receipts/",
        blank=True,
        null=True,
        validators=[validate_receipt_file],
    )
    project = models.ForeignKey(
        Project,
        null=True,
@@ -141,23 +148,3 @@ class ClaimLog(models.Model):
    def __str__(self):
        return f"{self.get_action_display()} ({self.created_at:%Y-%m-%d %H:%M})"
 class SystemSetting(models.Model):
    internal_payments_enabled = models.BooleanField(default=True)
    updated_at = models.DateTimeField(auto_now=True)
    class Meta:
        verbose_name = "Systeminställning"
        verbose_name_plural = "Systeminställningar"
    def __str__(self):
        return "Systeminställningar"
    @classmethod
    def get_solo(cls):
        obj, _ = cls.objects.get_or_create(pk=1)
        return obj
    @classmethod
    def internal_payments_active(cls):
        return cls.get_solo().internal_payments_enabled
--- a/claims/tests.py
+++ b/claims/tests.py
@@ -1,3 +1,67 @@
-from django.test import TestCase
+from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import TestCase, override_settings
-# Create your tests here.
+from .validators import validate_receipt_file
 from .views import SubmitClaimView
 class ReceiptValidatorTests(TestCase):
    def test_accepts_valid_pdf(self):
        file_obj = SimpleUploadedFile(
            "receipt.pdf",
            b"%PDF-1.4\nsample",
            content_type="application/pdf",
        )
        try:
            validate_receipt_file(file_obj)
        except ValidationError as exc:  # pragma: no cover - explicit failure message
            self.fail(f"Valid PDF rejected: {exc}")
    def test_rejects_disallowed_extension(self):
        file_obj = SimpleUploadedFile(
            "script.exe",
            b"MZ fake exe",
            content_type="application/octet-stream",
        )
        with self.assertRaises(ValidationError):
            validate_receipt_file(file_obj)
    @override_settings(CLAIMS_MAX_RECEIPT_BYTES=1024)
    def test_rejects_too_large_file(self):
        big_payload = b"%PDF-1.4\n" + b"a" * 2048
        file_obj = SimpleUploadedFile(
            "large.pdf",
            big_payload,
            content_type="application/pdf",
        )
        with self.assertRaises(ValidationError):
            validate_receipt_file(file_obj)
    def test_rejects_signature_mismatch(self):
        file_obj = SimpleUploadedFile(
            "fake.pdf",
            b"\x89PNG\r\n\x1a\nnot a pdf",
            content_type="application/pdf",
        )
        with self.assertRaises(ValidationError):
            validate_receipt_file(file_obj)
 class ClaimFormsetLimitTests(TestCase):
    def test_default_formset_has_single_row(self):
        view = SubmitClaimView()
        formset = view.build_formset(extra=1)
        self.assertEqual(formset.total_form_count(), 1)
    def test_cannot_submit_more_than_max_forms(self):
        view = SubmitClaimView()
        data = {
            "claim_lines-TOTAL_FORMS": "6",
            "claim_lines-INITIAL_FORMS": "0",
            "claim_lines-MIN_NUM_FORMS": "1",
            "claim_lines-MAX_NUM_FORMS": "5",
        }
        formset = view.build_formset(data=data)
        self.assertFalse(formset.is_valid())
        self.assertTrue(formset.non_form_errors())
--- a/claims/validators.py
+++ b/claims/validators.py
@@ -0,0 +1,115 @@
 import io
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 DEFAULT_ALLOWED_EXTENSIONS = ("pdf", "png", "jpg", "jpeg")
 DEFAULT_ALLOWED_CONTENT_TYPES = ("application/pdf", "image/png", "image/jpeg")
 PDF_SIGNATURE = b"%PDF-"
 PNG_SIGNATURE = b"\x89PNG\r\n\x1a\n"
 JPEG_PREFIX = b"\xff\xd8"
 def _peek(file_obj, length=8):
    """Read the first bytes of a file without consuming the stream."""
    stream = getattr(file_obj, "file", file_obj)
    if isinstance(stream, io.BytesIO):
        pos = stream.tell()
        stream.seek(0)
        data = stream.read(length)
        stream.seek(pos)
        return data
    try:
        pos = stream.tell()
    except (AttributeError, OSError):
        pos = None
    try:
        stream.seek(0)
        data = stream.read(length)
    finally:
        if pos is not None:
            stream.seek(pos)
        else:
            try:
                stream.seek(0)
            except (AttributeError, OSError):
                pass
    return data
 def _allowed_extensions():
    exts = getattr(settings, "CLAIMS_ALLOWED_RECEIPT_EXTENSIONS", DEFAULT_ALLOWED_EXTENSIONS)
    normalized = {ext.lower() for ext in exts}
    return normalized or set(DEFAULT_ALLOWED_EXTENSIONS)
 def _allowed_content_types():
    cts = getattr(settings, "CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES", DEFAULT_ALLOWED_CONTENT_TYPES)
    normalized = {ct.lower() for ct in cts}
    return normalized or set(DEFAULT_ALLOWED_CONTENT_TYPES)
 def _max_file_size():
    return int(getattr(settings, "CLAIMS_MAX_RECEIPT_BYTES", 10 * 1024 * 1024))
 def _extension(validated_file):
    name = validated_file.name or ""
    if "." not in name:
        return ""
    return name.rsplit(".", 1)[-1].lower()
 def _signature_matches(ext, header):
    if not header:
        return False
    if ext == "pdf":
        return header.startswith(PDF_SIGNATURE)
    if ext == "png":
        return header.startswith(PNG_SIGNATURE)
    if ext in {"jpg", "jpeg"}:
        return header.startswith(JPEG_PREFIX)
    return False
 def validate_receipt_file(uploaded_file):
    """Ensure uploaded receipts comply with size/format requirements."""
    if not uploaded_file:
        return
    max_bytes = _max_file_size()
    if uploaded_file.size > max_bytes:
        max_mb = round(max_bytes / (1024 * 1024), 2)
        raise ValidationError(
            _("Kvitton får vara max %(size)s MB."),
            code="file_too_large",
            params={"size": max_mb},
        )
    ext = _extension(uploaded_file)
    extensions = _allowed_extensions()
    if ext not in extensions:
        raise ValidationError(
            _("Otillåtet filformat. Tillåtna format är %(formats)s."),
            code="invalid_extension",
            params={"formats": ", ".join(sorted(extensions))},
        )
    content_type = getattr(uploaded_file, "content_type", "")
    allowed_types = _allowed_content_types()
    if content_type and content_type.lower() not in allowed_types:
        raise ValidationError(
            _("Otillåten MIME-typ: %(type)s."),
            code="invalid_mime",
            params={"type": content_type},
        )
    header = _peek(uploaded_file, length=8)
    if not _signature_matches(ext, header):
        raise ValidationError(
            _("Filens innehåll matchar inte förväntat format."),
            code="invalid_signature",
        )
--- a/claims/views.py
+++ b/claims/views.py
@@ -20,7 +20,7 @@ from .forms import (
    UserPermissionForm,
 )
 from .email_utils import notify_admin_of_claim, send_claimant_confirmation_email
-from .models import Claim, ClaimLog, SystemSetting
+from .models import Claim, ClaimLog
 User = get_user_model()
@@ -31,17 +31,21 @@ class SubmitClaimView(View):
    def get_extra_forms(self):
        try:
-            count = int(self.request.GET.get("forms", 2))
+            count = int(self.request.GET.get("forms", 1))
        except (TypeError, ValueError):
-            count = 2
+            count = 1
        return max(1, min(count, self.max_extra_forms))
    def build_formset(self, *, data=None, files=None, extra=0):
        extra_forms = max(0, extra - 1)
        FormSet = formset_factory(
            ClaimLineForm,
-            extra=extra,
+            extra=extra_forms,
            min_num=1,
            max_num=self.max_extra_forms,
            absolute_max=self.max_extra_forms,
            validate_min=True,
            validate_max=True,
        )
        return FormSet(data=data, files=files, prefix="claim_lines")
@@ -154,7 +158,7 @@ class ClaimAdminListView(LoginRequiredMixin, PermissionRequiredMixin, ListView):
        context["status_choices"] = Claim.Status.choices
        context["decision_choices"] = ClaimDecisionForm().fields["action"].choices
        context["can_change"] = self.request.user.has_perm("claims.change_claim")
-        context["payments_enabled"] = SystemSetting.internal_payments_active()
+        context["payments_enabled"] = getattr(settings, "CLAIMS_ENABLE_INTERNAL_PAYMENTS", False)
        return context
    def post(self, request, *args, **kwargs):
@@ -202,7 +206,7 @@ class ClaimAdminListView(LoginRequiredMixin, PermissionRequiredMixin, ListView):
        return redirect(request.get_full_path())
    def _handle_payment(self, request):
-        if not SystemSetting.internal_payments_active():
+        if not getattr(settings, "CLAIMS_ENABLE_INTERNAL_PAYMENTS", False):
            messages.error(request, _("Betalningshantering är inte aktiverad."))
            return redirect(request.get_full_path())
        if not request.user.has_perm("claims.change_claim"):
--- a/claims_system/settings.py
+++ b/claims_system/settings.py
@@ -12,6 +12,7 @@ https://docs.djangoproject.com/en/5.2/ref/settings/
 import os
 from pathlib import Path
 from django.urls import reverse_lazy
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -130,8 +131,8 @@ STATIC_URL = 'static/'
 MEDIA_URL = '/media/'
 MEDIA_ROOT = BASE_DIR / 'media'
-LOGIN_REDIRECT_URL = '/claims/admin/'
+LOGIN_REDIRECT_URL = reverse_lazy('claims:admin-list')
-LOGOUT_REDIRECT_URL = '/accounts/login/'
+LOGOUT_REDIRECT_URL = reverse_lazy('login')
 os.environ.setdefault("CLAIMS_ENABLE_INTERNAL_PAYMENTS", "true")
 CLAIMS_ENABLE_INTERNAL_PAYMENTS = os.getenv("CLAIMS_ENABLE_INTERNAL_PAYMENTS", "true").lower() in {"1", "true", "yes"}
@@ -148,6 +149,18 @@ CLAIMS_EMAIL_ENABLED = os.getenv("CLAIMS_EMAIL_ENABLED", "false").lower() in {"1
 CLAIMS_EMAIL_FROM = os.getenv("CLAIMS_EMAIL_FROM", "no-reply@claims.local")
 CLAIMS_ADMIN_NOTIFICATION_EMAIL = os.getenv("CLAIMS_ADMIN_NOTIFICATION_EMAIL", "")
 CLAIMS_MAX_RECEIPT_BYTES = int(os.getenv("CLAIMS_MAX_RECEIPT_BYTES", str(10 * 1024 * 1024)))
 CLAIMS_ALLOWED_RECEIPT_EXTENSIONS = tuple(
    ext.strip().lower()
    for ext in os.getenv("CLAIMS_ALLOWED_RECEIPT_EXTENSIONS", "pdf,png,jpg,jpeg").split(",")
    if ext.strip()
 )
 CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES = tuple(
    ct.strip().lower()
    for ct in os.getenv("CLAIMS_ALLOWED_RECEIPT_CONTENT_TYPES", "application/pdf,image/png,image/jpeg").split(",")
    if ct.strip()
 )
 # Default primary key field type
 # https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field
--- a/claims_system/urls.py
+++ b/claims_system/urls.py
@@ -16,17 +16,22 @@ Including another URLconf
 """
 from django.conf import settings
 from django.conf.urls.static import static
 from django.conf.urls.i18n import i18n_patterns
 from django.contrib import admin
 from django.urls import include, path
 from django.views.generic import RedirectView
 urlpatterns = [
    path('admin/', admin.site.urls),
    path('claims/', include('claims.urls')),
    path('accounts/', include('django.contrib.auth.urls')),
    path('i18n/', include('django.conf.urls.i18n')),
-    path('', RedirectView.as_view(pattern_name='claims:submit', permanent=False)),
+    path('', RedirectView.as_view(url=f'/{settings.LANGUAGE_CODE}/', permanent=False)),
 ]
 urlpatterns += i18n_patterns(
    path('admin/', admin.site.urls),
    path('accounts/', include('django.contrib.auth.urls')),
    path('claims/', include('claims.urls')),
    path('', RedirectView.as_view(pattern_name='claims:submit', permanent=False)),
 )
 if settings.DEBUG:
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)