Secure files extending file name with uuid.

flash_update/migrations/0013_alter_flashgraphicmap_file.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.15 on 2024-09-03 09:37
+
+from django.db import migrations, models
+import flash_update.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('flash_update', '0012_auto_20230410_0720'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='flashgraphicmap',
+            name='file',
+            field=models.FileField(upload_to=flash_update.models.flash_map_upload_to, verbose_name='file'),
+        ),
+    ]

flash_update/migrations/0014_alter_flashupdate_extracted_file.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.15 on 2024-09-03 09:42
+
+from django.db import migrations, models
+import flash_update.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('flash_update', '0013_alter_flashgraphicmap_file'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='flashupdate',
+            name='extracted_file',
+            field=models.FileField(blank=True, null=True, upload_to=flash_update.models.flash_extracted_file_upload_to, verbose_name='extracted file'),
+        ),
+    ]

flash_update/models.py

@@ -1,3 +1,5 @@
+# import os
+# from uuid import uuid4
 import reversion
 from django.conf import settings
 from django.contrib.auth.models import Group
@@ -6,6 +8,7 @@
 from django.utils.translation import gettext_lazy as _
 from tinymce.models import HTMLField
 
+from main.utils import custom_upload_to
 from api.models import (
     ActionCategory,
     ActionOrg,
@@ -15,10 +18,15 @@
     District,
 )
 
+def flash_map_upload_to(instance, filename):
+    return custom_upload_to('flash_update/images/')(instance, filename)
+
+def flash_extracted_file_upload_to(instance, filename):
+    return custom_upload_to('flash_update/pdf/')(instance, filename)
 
 @reversion.register()
 class FlashGraphicMap(models.Model):
-    file = models.FileField(verbose_name=_("file"), upload_to="flash_update/images/")
+    file = models.FileField(verbose_name=_("file"), upload_to=flash_map_upload_to)
     caption = models.CharField(max_length=225, blank=True, null=True)
     created_by = models.ForeignKey(
         settings.AUTH_USER_MODEL,
@@ -116,7 +124,7 @@ class FlashShareWith(models.TextChoices):
         verbose_name=_("share with"),
     )
     references = models.ManyToManyField(FlashReferences, blank=True, verbose_name=_("references"))
-    extracted_file = models.FileField(verbose_name=_("extracted file"), upload_to="flash_update/pdf/", blank=True, null=True)
+    extracted_file = models.FileField(verbose_name=_("extracted file"), upload_to=flash_extracted_file_upload_to, blank=True, null=True)
     extracted_at = models.DateTimeField(verbose_name=_("extracted at"), blank=True, null=True)
 
     class Meta:

main/utils.py

@@ -1,6 +1,8 @@
+import os
 import datetime
 import json
 import typing
+from uuid import uuid4
 from collections import defaultdict
 from tempfile import NamedTemporaryFile, _TemporaryFileWrapper
 
@@ -15,6 +17,20 @@
 from reversion.revisions import _get_options
 
 
+def custom_upload_to(directory):
+    """
+    Rename file name with adding uuid
+    """
+    def upload_to(instance, filename):
+        # Get the file extension
+        extension = filename.split('.')[-1]
+        old_file_name = filename.split('.')[0]
+        # Create a unique filename using uuid4
+        new_filename = f"{old_file_name}-{uuid4().hex}.{extension}"
+        # Return the new file path
+        return os.path.join(directory, new_filename)
+    return upload_to
+
 def is_tableau(request):
     """Checking the request for the 'tableau' parameter
     (used mostly for switching to the *TableauSerializers)