Uploaded file validation

degeist / book-cover-generator

A tool to create user-generated book covers and share on social media.

Other

2 stars 0 forks source link

Uploaded file validation #45

Open erasmus opened 8 years ago

erasmus commented 8 years ago

We should do some checking before uploading to save bandwidth & spam.

Limits

[ ] file-size (max 5MB)
[ ] file-type (.gif, .jpg, .jpeg, .png)
[ ] ~~previously uploaded? (check against filename)~~

avorio commented 8 years ago

Filename is problematic for a number of reasons. One is that someone might have bg.jpg and chances are that many other people might have other files with the same name...

erasmus commented 8 years ago

Yes, filename checking should probably be frontend. (the filename of the last uploaded file is stored in the cloudinary.data object and could be used for some validation) -- for a later optimisation if we need to save on bandwith. Ignore for now.

erasmus commented 8 years ago

Frountend validation has now been implemented. Would need a backend check (filesize + type) to avoid spam

Update To be specific, we now check frontend for filesize + filetype. This does not have global support however and some backend checking should be implemented to avoid e.g. headless spambots.

avorio commented 8 years ago

See Cloudinary's API documentation on file validation.

In a nutshell, Cloudinary supports file type restriction on the server side for uploading:

uploader.upload("tests/logo.png", allowed_formats = ['png'])

The next example will return an error:

uploader.upload("tests/logo.png", allowed_formats = ['jpg'])

However, you can convert the uploaded file to match the allowed format, for example:

uploader.upload("tests/logo.png", allowed_formats = ['jpg'], format= 'jpg')

avorio commented 8 years ago

About filesize validation in the backend, here's Cloudinary's response:

Our jQuery integration library supports handling minimum/maximum size and dimensions on the client side. We have it in our roadmap to support rejecting these on the server side as well.

avorio commented 8 years ago

It's unclear to me how the documentation example above applies to direct uploads.

I've written to their support team and I am now waiting for a response.

avorio commented 8 years ago

It looks like server-side validation is not possible with direct uploads.

The CloudinaryJsFileField uses our jQuery library for the uploads. As mentioned in the article, you can use the acceptFileTypes in the initialization of the input field. For more information: https://github.com/cloudinary/cloudinary_js#client-side-image-resizing-before-upload

I'm assuming this is what you've already implemented, @rashagen?

erasmus commented 8 years ago

Yes, that's what's been implemented... hmmmm