Use randomized filenames

parent a1ee738b
...@@ -16,6 +16,7 @@ from django.db import models ...@@ -16,6 +16,7 @@ from django.db import models
from django.db.models import Q from django.db.models import Q
from django.urls import reverse from django.urls import reverse
from django.utils import timezone from django.utils import timezone
from django.utils.crypto import get_random_string
from django.utils.translation import pgettext_lazy, gettext_lazy as _ from django.utils.translation import pgettext_lazy, gettext_lazy as _
from activemembers.models import MemberGroup, MemberGroupMembership from activemembers.models import MemberGroup, MemberGroupMembership
...@@ -191,8 +192,20 @@ class Member(User): ...@@ -191,8 +192,20 @@ class Member(User):
return reverse('members:profile', args=[str(self.pk)]) return reverse('members:profile', args=[str(self.pk)])
def _profile_image_path(instance, filename): def _profile_image_path(_instance, _filename):
return f'public/avatars/{instance.pk}' """
Sets the upload path for profile images.
Makes sure that it's hard to enumerate profile images.
Also makes sure any user-picked filenames don't survive
>>> _profile_image_path(None, "bla.jpg")
public/avatars/...
>>> "swearword" in _profile_image_path(None, "swearword.jpg")
False
"""
return f'public/avatars/{get_random_string(length=16)}'
class Profile(models.Model): class Profile(models.Model):
...@@ -495,7 +508,7 @@ class Profile(models.Model): ...@@ -495,7 +508,7 @@ class Profile(models.Model):
# Create new filename to store compressed image # Create new filename to store compressed image
image_name, _ext = os.path.splitext(original_image_name) image_name, _ext = os.path.splitext(original_image_name)
image_name = storage.generate_filename(f"{image_name}.jpg") image_name = storage.get_available_name(f"{image_name}.jpg")
with storage.open(image_name, 'wb') as new_image_file: with storage.open(image_name, 'wb') as new_image_file:
image.convert("RGB").save(new_image_file, "JPEG") image.convert("RGB").save(new_image_file, "JPEG")
self.photo.name = image_name self.photo.name = image_name
......
from datetime import datetime from datetime import datetime
import doctest
from django.test import TestCase from django.test import TestCase
from django.utils import timezone from django.utils import timezone
from members import models
from members.models import (Profile, Member) from members.models import (Profile, Member)
def load_tests(loader, tests, ignore):
"""Load doctests"""
tests.addTests(doctest.DocTestSuite(models))
class MemberBirthdayTest(TestCase): class MemberBirthdayTest(TestCase):
fixtures = ['members.json'] fixtures = ['members.json']
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment