Check that uploaded images are actually images

2025-07-11 04:19:25 +00:00 · 2025-04-08 17:21:30 +02:00
parent 13f417ba30
commit 376af35bfb
5 changed files with 59 additions and 13 deletions
--- a/sas/tests/test_api.py
+++ b/sas/tests/test_api.py
@ -266,3 +266,23 @@ def test_upload_picture(client: Client):
    assert picture.file.name == "SAS/test album/img.png"
    assert picture.compressed.name == ".compressed/SAS/test album/img.webp"
    assert picture.thumbnail.name == ".thumbnails/SAS/test album/img.webp"
+
+
+@pytest.mark.django_db
+def test_upload_invalid_picture(client: Client):
+    sas = SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+    album = baker.make(Album, is_in_sas=True, parent=sas, name="test album")
+    user = baker.make(User, is_superuser=True)
+    client.force_login(user)
+    file = SimpleUploadedFile(
+        name="file.txt",
+        content=b"azerty",
+        content_type="image/png",  # the server shouldn't blindly trust the content_type
+    )
+    res = client.post(
+        reverse("api:upload_picture"), {"album_id": album.id, "picture": file}
+    )
+    assert res.status_code == 422
+    assert res.json()["detail"][0]["ctx"]["error"] == (
+        "Ce fichier n'est pas une image valide"
+    )