From 98f2848dc4618e8f5373bcdf2b85dac3ee28db0c Mon Sep 17 00:00:00 2001
From: Filipp Lepalaan <filipp@mac.com>
Date: Sat, 5 Dec 2015 14:27:15 +0200
Subject: Only accept HTML order templates

---
 servo/forms/admin.py | 9 +++++++++
 servo/lib/utils.py   | 5 +++++
 2 files changed, 14 insertions(+)

(limited to 'servo')

diff --git a/servo/forms/admin.py b/servo/forms/admin.py
index 5118fc0..e69c12e 100644
--- a/servo/forms/admin.py
+++ b/servo/forms/admin.py
@@ -164,6 +164,15 @@ class QueueForm(BaseModelForm):
             self.fields['status_dispatched'].queryset = queryset
             self.fields['status_closed'].queryset = queryset
 
+    def clean_order_template(self):
+        from servo.lib.utils import file_type
+        tpl = self.cleaned_data.get('order_template')
+        ftype = file_type(tpl.file.read())
+        if ftype != 'text/html':
+            raise forms.ValidationError(_('Print tempates must be in HTML format'))
+
+        return tpl
+
 
 class StatusForm(BaseModelForm):
     class Meta:
diff --git a/servo/lib/utils.py b/servo/lib/utils.py
index 6644a7e..2994fb3 100644
--- a/servo/lib/utils.py
+++ b/servo/lib/utils.py
@@ -8,6 +8,11 @@ from django.core.serializers.json import DjangoJSONEncoder
 from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
 
 
+def file_type(buf):
+    import magic
+    return magic.from_buffer(buf, mime=True)
+
+
 def paginate(queryset, page, count=10):
     """
     Shortcut for paginating a queryset
-- 
cgit v1.2.3