Merge branch 'django-cms:master' into master

Author: fsbraun

.github/workflows/publish-to-live-pypi.yml

@@ -9,12 +9,17 @@ jobs:
   build-n-publish:
     name: Build and publish Python 🐍 distributions 📦 to pypi
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/django-filer
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@master
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v1
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: '3.12'
 
     - name: Install pypa/build
       run: >-
@@ -33,7 +38,4 @@ jobs:
 
     - name: Publish distribution 📦 to PyPI
       if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@master
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/publish-to-test-pypi.yml

@@ -9,12 +9,17 @@ jobs:
   build-n-publish:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
     runs-on: ubuntu-latest
+    environment:
+      name: test
+      url: https://test.pypi.org/p/django-filer
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@master
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v1
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: '3.12'
 
     - name: Install pypa/build
       run: >-
@@ -32,9 +37,7 @@ jobs:
         .
 
     - name: Publish distribution 📦 to Test PyPI
-      uses: pypa/gh-action-pypi-publish@master
+      uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
+        repository-url: https://test.pypi.org/legacy/
+        skip-existing: true

.pre-commit-config.yaml

@@ -31,7 +31,7 @@ repos:
       - id: yesqa
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: mixed-line-ending

CHANGELOG.rst

@@ -2,11 +2,31 @@
 CHANGELOG
 =========
 
-unreleased
-==========
+3.1.1 (2023-11-18)
+==================
+
+* fix: Added compatibility code in aldryn_config go support setting THUMBNAIL_DEFAULT_STORAGE in django 4.2
+* fix: address failing gulp ci jobs
+* feat: Image dimensions update management command
+* ci: pre-commit autoupdate
+
+3.1.0 (2023-10-01)
+==================
 
+* feat: limit uploaded image area (width x height) to prevent decompression
+  bombs
+* feat: Canonical URL action button now copies canonical URL to the user's
+  clipboard
+* fix: Run validators on updated files in file change view
+* fix: Update mime type if uploading file in file change view
+* fix: Do not allow to remove the file field from an uplaoded file in
+  the admin interface
+* fix: refactor upload checks into running validators in the admin
+  and adding clean methods for file and (abstract) image models.
 * Fixed two more instances of javascript int overflow issue (#1335)
 * fix: ensure uniqueness of icon admin url names
+* fix: Crash with django-storage if filer file does not have a
+  storage file attached
 
 3.0.6 (2023-09-08)
 ==================

aldryn_config.py

@@ -47,7 +47,12 @@ def to_settings(self, data, settings):
         # If the DEFAULT_FILE_STORAGE has been set to a value known by
         # aldryn-django, then use that as THUMBNAIL_DEFAULT_STORAGE as well.
         for storage_backend in storage.SCHEMES.values():
-            if storage_backend == settings['DEFAULT_FILE_STORAGE']:
+            # Process before django 4.2
+            if storage_backend == settings.get('DEFAULT_FILE_STORAGE', None):
+                settings['THUMBNAIL_DEFAULT_STORAGE'] = storage_backend
+                break
+            # Process django 4.2 and after
+            if storage_backend == settings.get('STORAGES', {}).get('default', {}).get('BACKEND', None):
                 settings['THUMBNAIL_DEFAULT_STORAGE'] = storage_backend
                 break
         return settings

docs/settings.rst

@@ -178,6 +178,19 @@ Limits the maximal file size if set. Takes an integer (file size in MB).
 
 Defaults to ``None``.
 
+``FILER_MAX_IMAGE_PIXELS``
+--------------------------------
+
+Limits the maximal pixel size of the image that can be uploaded to the Filer.
+It will also be lower than or equals to the MAX_IMAGE_PIXELS that Pillow's PIL allows.
+
+
+``MAX_IMAGE_PIXELS = int(1024 * 1024 * 1024 // 4 // 3)``
+
+Defaults to ``MAX_IMAGE_PIXELS``. But when set, should always be lower than the MAX_IMAGE_PIXELS limit set by Pillow.
+
+This is useful setting to prevent decompression bomb DOS attack.
+
 
 ``FILER_ADD_FILE_VALIDATORS``
 -----------------------------

filer/__init__.py

@@ -13,4 +13,4 @@
  8. Publish the release and it will automatically release to pypi
 """
 
-__version__ = '3.0.6'
+__version__ = '3.1.1'

filer/admin/clipboardadmin.py

@@ -1,4 +1,5 @@
 from django.contrib import admin, messages
+from django.core.exceptions import ValidationError
 from django.forms.models import modelform_factory
 from django.http import JsonResponse
 from django.urls import path
@@ -9,7 +10,7 @@
 from ..models import Clipboard, ClipboardItem, Folder
 from ..utils.files import handle_request_files_upload, handle_upload
 from ..utils.loader import load_model
-from ..validation import FileValidationError, validate_upload
+from ..validation import validate_upload
 from . import views
 
 
@@ -112,48 +113,53 @@ def ajax_upload(request, folder_id=None):
             break
     uploadform = FileForm({'original_filename': filename, 'owner': request.user.pk},
                           {'file': upload})
+    uploadform.request = request
     uploadform.instance.mime_type = mime_type
     if uploadform.is_valid():
         try:
             validate_upload(filename, upload, request.user, mime_type)
-        except FileValidationError as error:
-            from django.contrib.messages import ERROR, add_message
-            message = str(error)
-            add_message(request, ERROR, message)
-            return JsonResponse({'error': message})
-        file_obj = uploadform.save(commit=False)
-        # Enforce the FILER_IS_PUBLIC_DEFAULT
-        file_obj.is_public = filer_settings.FILER_IS_PUBLIC_DEFAULT
+            file_obj = uploadform.save(commit=False)
+            # Enforce the FILER_IS_PUBLIC_DEFAULT
+            file_obj.is_public = filer_settings.FILER_IS_PUBLIC_DEFAULT
+        except ValidationError as error:
+            messages.error(request, str(error))
+            return JsonResponse({'error': str(error)})
         file_obj.folder = folder
         file_obj.save()
         # TODO: Deprecated/refactor
         # clipboard_item = ClipboardItem(
         #     clipboard=clipboard, file=file_obj)
         # clipboard_item.save()
 
-        thumbnail = None
-        data = {
-            'thumbnail': thumbnail,
-            'alt_text': '',
-            'label': str(file_obj),
-            'file_id': file_obj.pk,
-        }
-        # prepare preview thumbnail
-        if isinstance(file_obj, Image):
-            thumbnail_180_options = {
-                'size': (180, 180),
-                'crop': True,
-                'upscale': True,
+        try:
+            thumbnail = None
+            data = {
+                'thumbnail': thumbnail,
+                'alt_text': '',
+                'label': str(file_obj),
+                'file_id': file_obj.pk,
             }
-            thumbnail_180 = file_obj.file.get_thumbnail(
-                thumbnail_180_options)
-            data['thumbnail_180'] = thumbnail_180.url
-            data['original_image'] = file_obj.url
-        return JsonResponse(data)
+            # prepare preview thumbnail
+            if isinstance(file_obj, Image):
+                thumbnail_180_options = {
+                    'size': (180, 180),
+                    'crop': True,
+                    'upscale': True,
+                }
+                thumbnail_180 = file_obj.file.get_thumbnail(
+                    thumbnail_180_options)
+                data['thumbnail_180'] = thumbnail_180.url
+                data['original_image'] = file_obj.url
+            return JsonResponse(data)
+        except Exception as error:
+            messages.error(request, str(error))
+            return JsonResponse({"error": str(error)})
     else:
-        form_errors = '; '.join(['{}: {}'.format(
-            field,
-            ', '.join(errors)) for field, errors in list(
-                uploadform.errors.items())
+        for key, error_list in uploadform.errors.items():
+            for error in error_list:
+                messages.error(request, error)
+
+        form_errors = '; '.join(['{}'.format(
+            ', '.join(errors)) for errors in list(uploadform.errors.values())
         ])
-        return JsonResponse({'message': str(form_errors)}, status=422)
+        return JsonResponse({'error': str(form_errors)}, status=200)

filer/admin/fileadmin.py

@@ -1,3 +1,5 @@
+import mimetypes
+
 from django import forms
 from django.contrib.admin.utils import unquote
 from django.contrib.staticfiles.storage import staticfiles_storage
@@ -8,6 +10,7 @@
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 
+from easy_thumbnails.engine import NoSourceGenerator
 from easy_thumbnails.exceptions import InvalidImageFormatError
 from easy_thumbnails.files import get_thumbnailer
 from easy_thumbnails.models import Thumbnail as EasyThumbnail
@@ -25,6 +28,27 @@ class Meta:
         model = File
         exclude = ()
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["file"].widget = forms.FileInput()
+
+    def clean(self):
+        from ..validation import validate_upload
+        cleaned_data = super().clean()
+        if "file" in self.changed_data and cleaned_data["file"]:
+            mime_type = mimetypes.guess_type(cleaned_data["file"].name)[0] or 'application/octet-stream'
+            file = cleaned_data["file"]
+            file.open("w+")  # Allow for sanitizing upload
+            file.seek(0)
+            validate_upload(
+                file_name=cleaned_data["file"].name,
+                file=file.file,
+                owner=cleaned_data["owner"],
+                mime_type=mime_type,
+            )
+            file.open("r")
+        return self.cleaned_data
+
 
 class FileAdmin(PrimitivePermissionAwareModelAdmin):
     list_display = ('label',)
@@ -185,7 +209,7 @@ def icon_view(self, request, file_id: int, size: int) -> HttpResponse:
             # Touch thumbnail to allow it to be prefetched for directory listing
             EasyThumbnail.objects.filter(name=thumbnail.name).update(modified=now())
             return HttpResponseRedirect(thumbnail.url)
-        except InvalidImageFormatError:
+        except (InvalidImageFormatError, NoSourceGenerator):
             return HttpResponseRedirect(staticfiles_storage.url('filer/icons/file-missing.svg'))
 
 

filer/admin/imageadmin.py

@@ -1,18 +1,20 @@
 from django import forms
+from django.shortcuts import get_object_or_404, render
+from django.urls import path
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy
 
 from ..settings import FILER_IMAGE_MODEL
 from ..thumbnail_processors import normalize_subject_location
 from ..utils.compatibility import string_concat
 from ..utils.loader import load_model
-from .fileadmin import FileAdmin
+from .fileadmin import FileAdmin, FileAdminChangeFrom
 
 
 Image = load_model(FILER_IMAGE_MODEL)
 
 
-class ImageAdminForm(forms.ModelForm):
+class ImageAdminForm(FileAdminChangeFrom):
     subject_location = forms.CharField(
         max_length=64, required=False,
         label=_('Subject location'),
@@ -58,8 +60,8 @@ def clean_subject_location(self):
             err_code = 'invalid_subject_format'
 
         elif (
-            coordinates[0] > self.instance.width
-            or coordinates[1] > self.instance.height
+            coordinates[0] > self.instance.width > 0
+            or coordinates[1] > self.instance.height > 0
         ):
             err_msg = gettext_lazy(
                 'Subject location is outside of the image. ')
@@ -80,19 +82,24 @@ class Meta:
         model = Image
         exclude = ()
 
-    class Media:
-        css = {
-            # 'all': (settings.MEDIA_URL + 'filer/css/focal_point.css',)
-        }
-        js = (
-
-        )
-
 
 class ImageAdmin(FileAdmin):
     change_form_template = 'admin/filer/image/change_form.html'
     form = ImageAdminForm
 
+    def get_urls(self):
+        return super().get_urls() + [
+            path("expand/<int:file_id>",
+                 self.admin_site.admin_view(self.expand_view),
+                 name=f"filer_{self.model._meta.model_name}_expand_view")
+        ]
+
+    def expand_view(self, request, file_id):
+        image = get_object_or_404(self.model, pk=file_id)
+        return render(request, "admin/filer/image/expand.html", context={
+            "original_url": image.url
+        })
+
 
 if FILER_IMAGE_MODEL == 'filer.Image':
     extra_main_fields = ('author', 'default_alt_text', 'default_caption',)