[IMP] mail: control file type to upload (#1)

* [IMP] mail: control file type to upload

-Before this commit: user can upload any file type they want, problem is
someone might upload virus file like html one which contain toxic code
-After this commit: provide a way to config which file types is
blacklist (can't be uploaded) by using system parameter call
"mail.blacklist_file_types"

* Update addons/mail/controllers/discuss.py

---------

Co-authored-by: Roy Le <[email protected]>

Author: ndd-odoo

addons/mail/controllers/discuss.py

@@ -15,6 +15,8 @@
 from odoo.tools.translate import _
 from werkzeug.exceptions import NotFound
 
+DEFAULT_BLACKLIST_FILE_TYPE = ['text/html', 'text/javascript']
+
 
 class DiscussController(http.Controller):
 
@@ -237,6 +239,20 @@ def mail_message_update_content(self, message_id, body, attachment_ids, attachme
 
     @http.route('/mail/attachment/upload', methods=['POST'], type='http', auth='public')
     def mail_attachment_upload(self, ufile, thread_id, thread_model, is_pending=False, **kwargs):
+        # BEGIN OVERIDE
+        blacklist_file_types = request.env['ir.config_parameter'].sudo().get_param(
+            'mail.blacklist_file_types',
+            default=DEFAULT_BLACKLIST_FILE_TYPE)
+        if isinstance(blacklist_file_types, str):
+            blacklist_file_types = blacklist_file_types.split(',')
+        # TODO: create a module if making pr for odoo not working
+        if any(blacklist_type in ufile.mimetype for blacklist_type in blacklist_file_types):
+            attachmentData = {'error': _("You are not allowed to upload attachment with extension %s here.", ufile.mimetype)}
+            return request.make_response(
+                data=json.dumps(attachmentData),
+                headers=[('Content-Type', 'application/json')]
+            )
+        # END OVERIDE
         channel_partner = request.env['mail.channel.partner']
         if thread_model == 'mail.channel':
             channel_partner = request.env['mail.channel.partner']._get_as_sudo_from_request_or_raise(request=request, channel_id=int(thread_id))

addons/mail/i18n/mail.pot

@@ -7557,6 +7557,12 @@ msgstr ""
 msgid "You are not allowed to upload an attachment here."
 msgstr ""
 
+#. module: mail
+#: code:addons/mail/controllers/discuss.py:0
+#, python-format
+msgid "You are not allowed to upload attachment with extension %s here."
+msgstr ""
+
 #. module: mail
 #. openerp-web
 #: code:addons/mail/static/src/models/discuss_sidebar_category_item/discuss_sidebar_category_item.js:0

addons/mail/i18n/vi.po

@@ -7887,6 +7887,12 @@ msgstr "Bạn đang ở kênh <b>#%s</b>."
 msgid "You are not allowed to upload an attachment here."
 msgstr "Bạn không có quyền tải lên file đính kèm ở đây."
 
+#. module: mail
+#: code:addons/mail/controllers/discuss.py:0
+#, python-format
+msgid "You are not allowed to upload attachment with extension %s here."
+msgstr "Bạn không có quyền tải lên file đính kèm có đuôi mở rộng loại %s ở đây."
+
 #. module: mail
 #. openerp-web
 #: code:addons/mail/static/src/models/discuss_sidebar_category_item/discuss_sidebar_category_item.js:0