MDL-59544 forms: Implicit validation of the filemanager and filepicker

The patch adds an extra validation step against accepted file types. Even if the repository checks are bypassed (as illustrated in the Behat), the invalid file is still caught by the element's validation rules. It turns out there is no way to test the filepicker element easily via Behat. Additionally, it provides the renaming features only with disabled javascript. So the Behat tests are provided for the filemanager only. AMOS BEGIN CPY [err_wrongfileextension,mod_workshop],[err_wrongfileextension,core_form] AMOS END
2025-08-09 19:06:41 +02:00 · 2017-07-14 14:48:19 +02:00 · 2017-07-14 14:48:19 +02:00 · 1661204a6c
commit 1661204a6c
parent 16a68a2f76
5 changed files with 97 additions and 1 deletions
--- a/lib/form/filemanager.php
+++ b/lib/form/filemanager.php
@ -308,6 +308,47 @@ class MoodleQuickForm_filemanager extends HTML_QuickForm_element implements temp
        $context['html'] = $this->toHtml();
        return $context;
    }
+
+    /**
+     * Check that all files have the allowed type.
+     *
+     * @param array $value Draft item id with the uploaded files.
+     * @return string|null Validation error message or null.
+     */
+    public function validateSubmitValue($value) {
+
+        $filetypesutil = new \core_form\filetypes_util();
+        $whitelist = $filetypesutil->normalize_file_types($this->_options['accepted_types']);
+
+        if (empty($whitelist) || $whitelist === ['*']) {
+            // Any file type is allowed, nothing to check here.
+            return;
+        }
+
+        $draftfiles = file_get_drafarea_files($value);
+        $wrongfiles = array();
+
+        if (empty($draftfiles)) {
+            // No file uploaded, nothing to check here.
+            return;
+        }
+
+        foreach ($draftfiles->list as $file) {
+            if (!$filetypesutil->is_allowed_file_type($file->filename, $whitelist)) {
+                $wrongfiles[] = $file->filename;
+            }
+        }
+
+        if ($wrongfiles) {
+            $a = array(
+                'whitelist' => implode(', ', $whitelist),
+                'wrongfiles' => implode(', ', $wrongfiles),
+            );
+            return get_string('err_wrongfileextension', 'core_form', $a);
+        }
+
+        return;
+    }
 }

 /**