From 9584b2ffbabf7b6b8c519da27e4487bb268854a8 Mon Sep 17 00:00:00 2001
From: Horilla <support@horilla.com>
Date: Tue, 16 Dec 2025 12:14:43 +0530
Subject: [PATCH] [FIX] EMPLOYEE: Fixed Employee profile image to only accept
 image files

---
 employee/models.py | 49 ++++++++++++++++++++++++++++++++++------------
 employee/views.py  | 17 +++++++++-------
 2 files changed, 47 insertions(+), 19 deletions(-)

diff --git a/employee/models.py b/employee/models.py
index 271f60039..3e8a59fe7 100644
--- a/employee/models.py
+++ b/employee/models.py
@@ -5,6 +5,7 @@ This module is used to register models for employee app
 
 """
 
+import xml.etree.ElementTree as ET
 from datetime import date, datetime, timedelta
 
 from django.apps import apps
@@ -19,7 +20,9 @@ from django.dispatch import receiver
 from django.templatetags.static import static
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy as trans
+from PIL import Image
 
+from accessibility.accessibility import ACCESSBILITY_FEATURE
 from base.horilla_company_manager import HorillaCompanyManager
 from base.models import (
     Company,
@@ -513,12 +516,41 @@ class Employee(models.Model):
         )
         return subordinates
 
+    def clean(self):
+        super().clean()
+
+        file = self.employee_profile
+        if not file:
+            return
+
+        try:
+            file.seek(0)
+            content = file.read()
+        except Exception:
+            raise ValidationError({"employee_profile": "Unable to read uploaded file."})
+
+        is_svg = False
+        try:
+            text = content.decode("utf-8", errors="strict")
+            root = ET.fromstring(text)
+            if root.tag.endswith("svg"):
+                is_svg = True
+        except Exception:
+            pass
+
+        if not is_svg:
+            try:
+                file.seek(0)
+                Image.open(file).verify()
+            except Exception:
+                raise ValidationError(
+                    {"employee_profile": "Invalid image or SVG file."}
+                )
+
     def save(self, *args, **kwargs):
-        # your custom code here
-        # ...
-        # call the parent class's save method to save the object
-        prev_employee = Employee.objects.filter(id=self.id).first()
+        self.full_clean()
         super().save(*args, **kwargs)
+
         request = getattr(horilla_middlewares._thread_locals, "request", None)
         if request and not self.is_active and self.get_archive_condition() is not False:
             self.is_active = True
@@ -530,16 +562,11 @@ class Employee(models.Model):
             username = self.email
             password = self.phone
 
-            is_new_employee_flag = (
-                not employee.employee_user_id.is_new_employee
-                if employee.employee_user_id
-                else True
-            )
             user = User.objects.create_user(
                 username=username,
                 email=username,
                 password=password,
-                is_new_employee=is_new_employee_flag,
+                is_new_employee=True,
             )
             if not user:
                 user = User.objects.create_user(
@@ -967,8 +994,6 @@ class ProfileEditFeature(HorillaModel):
     objects = models.Manager()
 
 
-from accessibility.accessibility import ACCESSBILITY_FEATURE
-
 ACCESSBILITY_FEATURE.append(("gender_chart", "Can view Gender Chart"))
 ACCESSBILITY_FEATURE.append(("department_chart", "Can view Department Chart"))
 ACCESSBILITY_FEATURE.append(("employees_chart", "Can view Employees Chart"))
diff --git a/employee/views.py b/employee/views.py
index 409ec3471..aac25dca4 100755
--- a/employee/views.py
+++ b/employee/views.py
@@ -1552,7 +1552,7 @@ def update_profile_image(request, obj_id):
         employee.save()
         messages.success(request, _("Profile image updated."))
     except Exception:
-        messages.error(request, _("No image chosen."))
+        messages.error(request, _("Upload a valid image."))
     response = render(
         request,
         "employee/profile/profile_modal.html",
@@ -1568,11 +1568,14 @@ def update_own_profile_image(request):
     """
     This method is used to update own profile image from profile view form
     """
-    employee = request.user.employee_get
-    img = request.FILES.get("employee_profile")
-    employee.employee_profile = img
-    employee.save()
-    messages.success(request, _("Profile image updated."))
+    try:
+        employee = request.user.employee_get
+        img = request.FILES.get("employee_profile")
+        employee.employee_profile = img
+        employee.save()
+        messages.success(request, _("Profile image updated."))
+    except Exception:
+        messages.error(request, _("Upload a valid image."))
     response = render(
         request,
         "employee/profile/profile_modal.html",
@@ -1655,7 +1658,7 @@ def employee_create_update_personal_info(request, obj_id=None):
     This method is used to update employee's personal info.
     """
     employee = Employee.objects.filter(id=obj_id).first()
-    form = EmployeeForm(request.POST, instance=employee)
+    form = EmployeeForm(request.POST, request.FILES, instance=employee)
     if form.is_valid():
         form.save()
         if obj_id is None: