|
15 | 15 | from odoo.tools.translate import _
|
16 | 16 | from werkzeug.exceptions import NotFound
|
17 | 17 |
|
| 18 | +DEFAULT_BLACKLIST_FILE_TYPE = ['text/html', 'text/javascript'] |
| 19 | + |
18 | 20 |
|
19 | 21 | class DiscussController(http.Controller):
|
20 | 22 |
|
@@ -237,6 +239,20 @@ def mail_message_update_content(self, message_id, body, attachment_ids, attachme
|
237 | 239 |
|
238 | 240 | @http.route('/mail/attachment/upload', methods=['POST'], type='http', auth='public')
|
239 | 241 | def mail_attachment_upload(self, ufile, thread_id, thread_model, is_pending=False, **kwargs):
|
| 242 | + # BEGIN OVERIDE |
| 243 | + blacklist_file_types = request.env['ir.config_parameter'].sudo().get_param( |
| 244 | + 'mail.blacklist_file_types', |
| 245 | + default=DEFAULT_BLACKLIST_FILE_TYPE) |
| 246 | + if isinstance(blacklist_file_types, str): |
| 247 | + blacklist_file_types = blacklist_file_types.split(',') |
| 248 | + # TODO: create a module if making pr for odoo not working |
| 249 | + if any(blacklist_type in ufile.mimetype for blacklist_type in blacklist_file_types): |
| 250 | + attachmentData = {'error': _("You are not allowed to upload attachment with extension %s here.", ufile.mimetype)} |
| 251 | + return request.make_response( |
| 252 | + data=json.dumps(attachmentData), |
| 253 | + headers=[('Content-Type', 'application/json')] |
| 254 | + ) |
| 255 | + # END OVERIDE |
240 | 256 | channel_partner = request.env['mail.channel.partner']
|
241 | 257 | if thread_model == 'mail.channel':
|
242 | 258 | channel_partner = request.env['mail.channel.partner']._get_as_sudo_from_request_or_raise(request=request, channel_id=int(thread_id))
|
|
0 commit comments