feat: added allowed files extensions configuration, applied to file upload in admin and data access pages #4449

Author: ymarcon

mica-core/src/main/resources/config/application.yml

@@ -27,7 +27,11 @@ metrics:
 cache:
     timeToLiveSeconds: 3600
 
-portal.draftResource.urlPattern: "{portalUrl}/mica/{resourceType}/{resourceId}/draft/{shareKey}"
+portal:
+  draftResource:
+    urlPattern: "{portalUrl}/mica/{resourceType}/{resourceId}/draft/{shareKey}"
+  files:
+    extensions: .xls,.xlsx,.ods,.doc,.docx,.odt,.ppt,.pptx,.odp,.xml,.yaml,.yml,.jpg,.jpeg,.png,.pdf,.txt,.csv,.tsv,.sav,.sas7bdat,.sas7bcat,.por,.gz,.bz2,.xz,.zip
 
 #
 # Plugins

mica-rest/src/main/java/org/obiba/mica/file/rest/TempFilesResource.java

@@ -12,38 +12,47 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.util.List;
+import java.util.Spliterators;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
+import javax.ws.rs.*;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import com.google.common.base.Splitter;
+import org.apache.commons.compress.utils.Lists;
 import org.apache.commons.fileupload.FileItem;
 import org.apache.commons.fileupload.FileItemFactory;
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.fileupload.disk.DiskFileItemFactory;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
+import org.apache.commons.io.StreamIterator;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.obiba.mica.file.TempFile;
 import org.obiba.mica.file.service.TempFileService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationContext;
 
 import com.codahale.metrics.annotation.Timed;
+import org.springframework.stereotype.Component;
 
+@Component
 @Path("/files/temp")
 @RequiresPermissions({ "/files:UPLOAD" })
 public class TempFilesResource {
 
   private static final Logger log = LoggerFactory.getLogger(TempFilesResource.class);
 
+  @Value("${portal.files.extensions}")
+  private String filesExtensions;
+
   @Inject
   private ApplicationContext applicationContext;
 
@@ -55,17 +64,22 @@ public class TempFilesResource {
   @Timed
   public Response upload(@Context HttpServletRequest request, @Context UriInfo uriInfo)
     throws IOException, FileUploadException {
-
     FileItem fileItem = getUploadedFile(request);
-
     if (fileItem == null) throw new FileUploadException("Failed to extract file item from request");
+    validateFileExtension(fileItem.getName());
     TempFile tempFile = tempFileService.addTempFile(fileItem.getName(), fileItem.getInputStream());
     URI location = uriInfo.getBaseUriBuilder().path(TempFilesResource.class).path(TempFilesResource.class, "file")
       .build(tempFile.getId());
-
     return Response.created(location).build();
   }
 
+  @GET
+  @Path("/_extensions")
+  @Produces(MediaType.TEXT_PLAIN)
+  public Response getFilesExtensions() {
+    return Response.ok().type(MediaType.TEXT_PLAIN).entity(filesExtensions).build();
+  }
+
   @Path("/{id}")
   public TempFileResource file(@PathParam("id") String id) {
     TempFileResource tempFileResource = applicationContext.getBean(TempFileResource.class);
@@ -84,4 +98,11 @@ FileItem getUploadedFile(HttpServletRequest request) throws FileUploadException
 
     return null;
   }
+
+  private void validateFileExtension(String filename) {
+    List<String> extensions = Splitter.on(",").splitToList(filesExtensions).stream().map(ext -> ext.trim().toLowerCase()).collect(Collectors.toList());
+    if (extensions.isEmpty() || extensions.contains("*")) return;
+    boolean valid = extensions.stream().anyMatch(ext -> filename.toLowerCase().endsWith(ext));
+    if (!valid) throw new BadRequestException("Not a valid file format");
+  }
 }

mica-webapp/src/main/java/org/obiba/mica/web/controller/DataAccessController.java

@@ -24,6 +24,7 @@
 import org.obiba.mica.security.Roles;
 import org.obiba.mica.web.controller.domain.DataAccessCollaboratorBundle;
 import org.obiba.mica.web.controller.domain.TimelineItem;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -42,6 +43,9 @@
 @Controller
 public class DataAccessController extends BaseDataAccessController {
 
+  @Value("${portal.files.extensions}")
+  private String filesExtensions;
+
   @Inject
   private DataAccessCollaboratorService dataAccessCollaboratorService;
 
@@ -141,6 +145,8 @@ public ModelAndView getDocuments(@PathVariable String id) {
 
       params.put("permissions", permissions);
 
+      params.put("filesExtensions", filesExtensions);
+
       return new ModelAndView("data-access-documents", params);
     } else {
       return new ModelAndView("redirect:../signin?redirect=" + micaConfigService.getContextPath() + "/data-access-documents%2F" + id);

mica-webapp/src/main/resources/_templates/data-access-documents.ftl

@@ -135,7 +135,7 @@
           <form>
             <div class="form-group">
               <label for="file-field"><@message "select-file-to-upload"/></label>
-              <input type="file" id="file-field" class="form-control-file" onchange="handleFiles(this.files)">
+              <input type="file" id="file-field" class="form-control-file" accept="${filesExtensions}" onchange="handleFiles(this.files)">
               <input type="hidden" id="file-id">
             </div>
             <div>

mica-webapp/src/main/webapp/app/file-system/file-system-controller.js

@@ -566,6 +566,7 @@ mica.fileSystem
         {name: 'REVIEWER', label: $filter('translate')('permission.reviewer')}
       ];
 
+      $scope.filesExtensions = FileSystemService.filesExtensions.get();
       $scope.screen = $rootScope.screen;
       $scope.hasRole = $rootScope.hasRole;
       $scope.getDocumentTypeTitle = FileSystemService.getDocumentTypeTitle;

mica-webapp/src/main/webapp/app/file-system/file-system-service.js

@@ -75,8 +75,8 @@ mica.fileSystem
       });
     }])
 
-  .service('FileSystemService', ['TempFileResource', 'Upload',
-    function (TempFileResource, Upload) {
+  .service('FileSystemService', ['TempFileResource', 'Upload','$resource',
+    function (TempFileResource, Upload, $resource) {
 
       this.isFile = function (document) {
         return document && document.type === 'FILE';
@@ -86,6 +86,10 @@ mica.fileSystem
         return document && document.path === '/';
       };
 
+      this.filesExtensions = $resource(contextPath + '/ws/files/temp/_extensions', {}, {
+        'get': {method: 'GET', accept: 'text/plain'}
+      });
+
       this.getDocumentTypeTitle = function (type) {
         switch (type) {
           case 'study':
@@ -121,7 +125,7 @@ mica.fileSystem
           switch (ext[1].toLowerCase()) {
             case 'doc':
             case 'docx':
-            case 'odm':
+            case 'odt':
             case 'gdoc':
               return 'fa-file-word-o';
 
@@ -133,7 +137,8 @@ mica.fileSystem
               return 'fa-file-pdf-o';
 
             case 'ppt':
-            case 'odt':
+            case 'pptx':
+            case 'odp':
               return 'fa-file-powerpoint-o';
 
             case 'xt':

mica-webapp/src/main/webapp/app/file-system/views/file-system-template.html

@@ -41,7 +41,7 @@
 
     <div class="voffset2">
       <a ng-if="!data.isFile" ng-disabled="!data.document.permissions.edit || data.document.revisionStatus !== 'DRAFT'"
-        class="btn btn-info btn-responsive" ngf-multiple="true" ngf-select ngf-change="onFileSelect($files)">
+        class="btn btn-info btn-responsive" ngf-multiple="true" ngf-select ngf-accept="filesExtensions" ngf-change="onFileSelect($files)">
       <i class="fa fa-upload"></i> {{'upload' | translate}}
       </a>
       <a ng-if="data.document.permissions.view && data.isFile" target="_self" class="btn btn-info btn-responsive" ng-href="ws/draft/file-dl/{{data.document.path}} ">