File extensions - restrict

[sashayar13]

The current way of configuring the file extensions limit does not prevent users from uploading the restricted extensions. For instance, these are the only extensions which should be accepted:

"supporting_file": {
                    "items": {
                        "file": {
                            "ui:options": {
                                "accept": [
                                    ".pdf",".bmp",".ico",".jpeg",".jpg",".heic",".png",".svg",".tiff"
                                ]
                            },
                            "ui:help": "Upload a photo of the receipt"
                        }
                    }
                }

However, as you can see from Madhu's comments, it's still possible to upload xlsx etc.

https://www.notion.so/Remove-xlsx-and-csv-extensions-from-allowed-Expense-submission-246708cc5677441fab04131ece82195b?pvs=4

[jasquat]

I think this is related to #839.

What the accept feature does is tell the browser to only list those file types by default when selecting a file however it does NOT actually restrict the chosen file in any other way. A user can upload a file with any extension if they desire. This is not something we can control easily. The process model could check the file extension and take the user back to the form if it is not a valid format.

[sashayar13]

@jasquat, thanks for bringing that up here. I think the possibility of restricting accepted file extensions is becoming critical going forward. If the `accept' feature doesn't allow us to easily restrict it, what are other sustainable options for this?

I understand that we can write a script as part of each process model as a quick workaround - but I don't believe it's a sustainable approach. First - it will require the Process Architect to write a script and additionally model the behaviour if the extension is not allowed. Second - it's bad UX - since this check will work only after submission of a complete form.

I'm wondering if we can do something similar to Expensify. They display this message when the file with the wrong format is selected

@MarD0607 @harmeet-status FYI

[jasquat]

I think the only other real option is to add a custom validation that can check for file extension.

[sashayar13]

@jasquat, could you please estimate this ticket for implementing the custom validation?

[jasquat]

@sashayar13 added - 1.5 DD.

I think we can do this all in the CustomForm which means this implementation should remain the same between carbon and mui. It does depend on what information we have and how bad the parsing of that information is going to be however.