Merge branch 'master' into fix/user-model-searchfield

fsbraun · web-flow · commit 09f75f776f24 · 2025-03-04T22:21:00.000+01:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,7 +21,7 @@ repos:
 #        args: [--target-version, "2.2"]
 
   - repo: https://github.com/PyCQA/flake8
-    rev: 7.1.1
+    rev: 7.1.2
     hooks:
       - id: flake8
 
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,25 @@
 CHANGELOG
 =========
 
+3.3.1 (2024-12-07)
+==================
+
+* fix: editing buttons missing in admin when file present by @pajowu in https://github.com/django-cms/django-filer/pull/1511
+* fix: incompatibility with djangocms-versioning-filer 1.3 was fixed by @fscherf in https://github.com/django-cms/django-filer/pull/1509
+
+**New Contributors**
+
+* @pajowu made their first contribution in https://github.com/django-cms/django-filer/pull/1511
+* @fscherf made their first contribution in https://github.com/django-cms/django-filer/pull/1509
+
+3.3.0 (2024-11-19)
+==================
+
+* fix: Restrict upload of binary or unknown file types by default by @fsbraun in https://github.com/django-cms/django-filer/pull/1507
+* fix: remove extra brace in generated HTML of data-max-filesize attribute by @fabien-michel in https://github.com/django-cms/django-filer/pull/1502
+* fix: uploadButton data-max-filesize attribute is not passed to file-uploader by @fabien-michel in https://github.com/django-cms/django-filer/pull/1503
+* docs: Update for on_delete requirement in Filer fields
+
 3.2.3 (2024-09-18)
 ==================
 
diff --git a/README.rst b/README.rst
@@ -49,26 +49,6 @@ Documentation
 Please head over to the separate `documentation <https://django-filer.readthedocs.io/en/latest/index.html>`_
 for all the details on how to install, configure and use django-filer.
 
-Upgrading
-=========
-
-Version 3.3
------------
-
-django-filer version 3 contains a change in security policy for file uploads.
-**By default, binary file or files of unknown type are not allowed to be uploaded.**
-To allow upload of binary files in your project, add
-
-.. code-block:: python
-
-    FILER_REMOVE_FILE_VALIDATORS = [
-        "application/octet-stream",
-    ]
-
-to your project's settings. Be aware that binary files always are a security risk.
-See the documentation for more information on how to configure file upload validators,
-e.g., running files through a virus checker.
-
 
 .. |pypi| image:: https://badge.fury.io/py/django-filer.svg
     :target: http://badge.fury.io/py/django-filer
diff --git a/docs/upgrading.rst b/docs/upgrading.rst
@@ -7,6 +7,25 @@ Usually upgrade procedure is straightforward: update the package and run migrati
 require special attention from the developer and here we provide upgrade instructions for such cases.
 
 
+from 3.x to 3.3
+---------------
+
+django-filer version 3.3 contains a change in security policy for file uploads.
+**By default, binary file or files of unknown type are not allowed to be uploaded.**
+To allow upload of binary files in your project, add
+
+.. code-block:: python
+
+    FILER_REMOVE_FILE_VALIDATORS = [
+        "application/octet-stream",
+    ]
+
+to your project's settings. Be aware that binary files always are a security risk.
+See :ref:`check_virus` for more information on how to configure file upload validators,
+e.g., running files through a virus checker.
+
+
+
 from 2.x to 3.0
 ---------------
 
diff --git a/docs/usage.rst b/docs/usage.rst
@@ -42,9 +42,11 @@ Simple example ``models.py``::
     class Company(models.Model):
         name = models.CharField(max_length=255)
         logo = FilerImageField(null=True, blank=True,
-                               related_name="logo_company")
+                             related_name="logo_company",
+                             on_delete=models.SET_NULL)
         disclaimer = FilerFileField(null=True, blank=True,
-                                    related_name="disclaimer_company")
+                                  related_name="disclaimer_company",
+                                  on_delete=models.SET_NULL)
 
 multiple file fields on the same model::
 
@@ -53,12 +55,21 @@ multiple file fields on the same model::
 
     class Book(models.Model):
         title = models.CharField(max_length=255)
-        cover = FilerImageField(related_name="book_covers")
-        back = FilerImageField(related_name="book_backs")
+        cover = FilerImageField(related_name="book_covers",
+                              on_delete=models.CASCADE)
+        back = FilerImageField(related_name="book_backs",
+                             on_delete=models.CASCADE)
 
-As with `django.db.models.ForeignKey`_ in general, you have to define a
-non-clashing ``related_name`` if there are multiple ``ForeignKey`` s to the
-same model.
+As with `django.db.models.ForeignKey`_ in general:
+
+* You must specify an ``on_delete`` parameter to define what happens when the referenced file is deleted
+* You have to define a non-clashing ``related_name`` if there are multiple ``ForeignKey`` s to the same model
+
+Common ``on_delete`` options:
+
+* ``models.CASCADE`` - Delete the model containing the FilerFileField when the referenced file is deleted
+* ``models.SET_NULL`` - Set the reference to NULL when the file is deleted (requires ``null=True``)
+* ``models.PROTECT`` - Prevent deletion of the referenced file
 
 templates
 .........
diff --git a/docs/validation.rst b/docs/validation.rst
@@ -264,6 +264,8 @@ If you distinguish validation by the mime type, remember to register the
 validator function for all relevant mime types.
 
 
+.. _check_virus:
+
 Checking uploads for viruses using ClamAV
 -----------------------------------------
 
diff --git a/filer/__init__.py b/filer/__init__.py
@@ -13,4 +13,4 @@
  8. Publish the release and it will automatically release to pypi
 """
 
-__version__ = '3.2.3'
+__version__ = '3.3.1'
diff --git a/filer/admin/fileadmin.py b/filer/admin/fileadmin.py
@@ -35,7 +35,8 @@ class Meta:
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.fields["file"].widget = forms.FileInput()
+        if "file" in self.fields:
+            self.fields["file"].widget = forms.FileInput()
 
     def clean(self):
         from ..validation import validate_upload
diff --git a/filer/templates/admin/filer/widgets/admin_file.html b/filer/templates/admin/filer/widgets/admin_file.html
@@ -26,7 +26,7 @@
         <span class="filerFile js-file-selector">
             {% if object %}
                 {% if object.file.exists %}
-                    <a href="{{ object.url }}" target="_blank">{% file_icon object detail="table" %}</a>
+                    <a href="{{ object.url }}" target="_blank">{% file_icon object detail="thumbnail" %}</a>
                     &nbsp;<span class="description_text">{{ object.label }}</span>
                 {% else %}
                     {% file_icon object %}
diff --git a/filer/utils/files.py b/filer/utils/files.py
@@ -1,5 +1,6 @@
 import mimetypes
 import os
+import uuid
 
 from django.http.multipartparser import ChunkIter, SkipFile, StopFutureHandlers, StopUpload, exhaust
 from django.template.defaultfilters import slugify as slugify_django
@@ -121,6 +122,33 @@ def slugify(string):
     return slugify_django(force_str(string))
 
 
+def _ensure_safe_length(filename, max_length=155, random_suffix_length=16):
+    """
+    Ensures that the filename does not exceed the maximum allowed length.
+    If it does, the function truncates the filename and appends a random hexadecimal
+    suffix of length `random_suffix_length` to ensure uniqueness and compliance with
+    database constraints - even after markers for a thumbnail are added.
+
+    Parameters:
+        filename (str): The filename to check.
+        max_length (int): The maximum allowed length for the filename.
+        random_suffix_length (int): The length of the random suffix to append.
+
+    Returns:
+        str: The safe filename.
+
+
+    Reference issue: https://github.com/django-cms/django-filer/issues/1270
+    """
+
+    if len(filename) <= max_length:
+        return filename
+
+    keep_length = max_length - random_suffix_length
+    random_suffix = uuid.uuid4().hex[:random_suffix_length]
+    return filename[:keep_length] + random_suffix
+
+
 def get_valid_filename(s):
     """
     like the regular get_valid_filename, but also slugifies away
@@ -131,6 +159,9 @@ def get_valid_filename(s):
     filename = slugify(filename)
     ext = slugify(ext)
     if ext:
-        return "{}.{}".format(filename, ext)
+        valid_filename = "{}.{}".format(filename, ext)
     else:
-        return "{}".format(filename)
+        valid_filename = "{}".format(filename)
+
+    # Ensure the filename meets the maximum length requirements.
+    return _ensure_safe_length(valid_filename)
diff --git a/tests/test_files.py b/tests/test_files.py
@@ -0,0 +1,113 @@
+import string
+
+from django.test import TestCase
+from filer.utils.files import get_valid_filename
+
+
+class GetValidFilenameTest(TestCase):
+
+    def setUp(self):
+        """
+        Set up the test case by reading the configuration settings for the maximum filename length.
+        """
+        self.max_length = 155
+        self.random_suffix_length = 16
+
+    def test_short_filename_remains_unchanged(self):
+        """
+        Test that a filename under the maximum length remains unchanged.
+        """
+        original = "example.jpg"
+        result = get_valid_filename(original)
+        self.assertEqual(result, "example.jpg")
+
+    def test_long_filename_is_truncated_and_suffix_appended(self):
+        """
+        Test that a filename longer than the maximum allowed length is truncated and a random
+        hexadecimal suffix of length 16 is appended, resulting in exactly 255 characters.
+        """
+        base = "a" * 300  # 300 characters base
+        original = f"{base}.jpg"
+        result = get_valid_filename(original)
+        self.assertEqual(
+            len(result),
+            self.max_length,
+            "Filename length should be exactly 255 characters."
+        )
+        # Verify that the last 16 characters form a valid hexadecimal string.
+        random_suffix = result[-16:]
+        valid_hex_chars = set(string.hexdigits)
+        self.assertTrue(all(c in valid_hex_chars for c in random_suffix),
+                        "The suffix is not a valid hexadecimal string.")
+
+    def test_filename_with_extension_preserved(self):
+        """
+        Test that the file extension is preserved (and slugified) after processing.
+        """
+        original = "This is a test IMAGE.JPG"
+        result = get_valid_filename(original)
+        self.assertTrue(result.endswith(".jpg"),
+                        "File extension was not preserved correctly.")
+
+    def test_unicode_characters(self):
+        """
+        Test that filenames with Unicode characters are handled correctly.
+        """
+        original = "fiłęñâmé_üñîçødé.jpeg"
+        result = get_valid_filename(original)
+        self.assertTrue(result.endswith(".jpeg"),
+                        "File extension is not preserved for unicode filename.")
+        # Verify that the resulting filename contains only allowed characters.
+        allowed_chars = set(string.ascii_lowercase + string.digits + "._-")
+        for char in result:
+            self.assertIn(char, allowed_chars,
+                          f"Unexpected character '{char}' found in filename.")
+
+    def test_edge_case_exact_length(self):
+        """
+        Test that a filename exactly at the maximum allowed length remains unchanged.
+        """
+        extension = ".png"
+        base_length = 155 - len(extension)
+        base = "b" * base_length
+        original = f"{base}{extension}"
+        result = get_valid_filename(original)
+        self.assertEqual(
+            len(result),
+            self.max_length,
+            "Filename with length exactly 255 should remain unchanged."
+        )
+        self.assertEqual(result, original,
+                         "Filename with length exactly 255 should not be modified.")
+
+    def test_edge_case_filenames(self):
+        """
+        Test filenames at various boundary conditions to ensure correct behavior.
+        """
+        max_length = self.max_length
+        random_suffix_length = self.random_suffix_length
+        extension = ".jpg"
+
+        # Test case 1: Filename with length exactly max_length - 1.
+        base_length = max_length - 1 - len(extension)
+        base = "c" * base_length
+        original = f"{base}{extension}"
+        result = get_valid_filename(original)
+        self.assertEqual(result, original,
+                         "Filename with length max_length-1 should remain unchanged.")
+
+        # Test case 2: Filename with length exactly equal to max_length - random_suffix_length.
+        base_length = max_length - random_suffix_length - len(extension)
+        base = "d" * base_length
+        original = f"{base}{extension}"
+        result = get_valid_filename(original)
+        self.assertEqual(result, original,
+                         "Filename with length equal to max_length - random_suffix_length should remain unchanged.")
+
+        # Test case 3: Filename with length exactly equal to max_length - random_suffix_length - 1.
+        base_length = max_length - random_suffix_length - 1 - len(extension)
+        base = "e" * base_length
+        original = f"{base}{extension}"
+        result = get_valid_filename(original)
+        self.assertEqual(result, original,
+                         "Filename with length equal to max_length - random_suffix_length - 1 should remain unchanged.")
