[FIX] EMPLOYEE: Fixed Employee profile image to only accept image files

2025-12-16 12:14:43 +05:30
parent 56191865ff
commit 9584b2ffba
2 changed files with 47 additions and 19 deletions
--- a/employee/models.py
+++ b/employee/models.py
@@ -5,6 +5,7 @@ This module is used to register models for employee app

 """

+import xml.etree.ElementTree as ET
 from datetime import date, datetime, timedelta

 from django.apps import apps
@@ -19,7 +20,9 @@ from django.dispatch import receiver
 from django.templatetags.static import static
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy as trans
+from PIL import Image

+from accessibility.accessibility import ACCESSBILITY_FEATURE
 from base.horilla_company_manager import HorillaCompanyManager
 from base.models import (
    Company,
@@ -513,12 +516,41 @@ class Employee(models.Model):
        )
        return subordinates

+    def clean(self):
+        super().clean()
+
+        file = self.employee_profile
+        if not file:
+            return
+
+        try:
+            file.seek(0)
+            content = file.read()
+        except Exception:
+            raise ValidationError({"employee_profile": "Unable to read uploaded file."})
+
+        is_svg = False
+        try:
+            text = content.decode("utf-8", errors="strict")
+            root = ET.fromstring(text)
+            if root.tag.endswith("svg"):
+                is_svg = True
+        except Exception:
+            pass
+
+        if not is_svg:
+            try:
+                file.seek(0)
+                Image.open(file).verify()
+            except Exception:
+                raise ValidationError(
+                    {"employee_profile": "Invalid image or SVG file."}
+                )
+
    def save(self, *args, **kwargs):
-        # your custom code here
-        # ...
-        # call the parent class's save method to save the object
-        prev_employee = Employee.objects.filter(id=self.id).first()
+        self.full_clean()
        super().save(*args, **kwargs)
+
        request = getattr(horilla_middlewares._thread_locals, "request", None)
        if request and not self.is_active and self.get_archive_condition() is not False:
            self.is_active = True
@@ -530,16 +562,11 @@ class Employee(models.Model):
            username = self.email
            password = self.phone

-            is_new_employee_flag = (
-                not employee.employee_user_id.is_new_employee
-                if employee.employee_user_id
-                else True
-            )
            user = User.objects.create_user(
                username=username,
                email=username,
                password=password,
-                is_new_employee=is_new_employee_flag,
+                is_new_employee=True,
            )
            if not user:
                user = User.objects.create_user(
@@ -967,8 +994,6 @@ class ProfileEditFeature(HorillaModel):
    objects = models.Manager()


-from accessibility.accessibility import ACCESSBILITY_FEATURE
-
 ACCESSBILITY_FEATURE.append(("gender_chart", "Can view Gender Chart"))
 ACCESSBILITY_FEATURE.append(("department_chart", "Can view Department Chart"))
 ACCESSBILITY_FEATURE.append(("employees_chart", "Can view Employees Chart"))
--- a/employee/views.py
+++ b/employee/views.py
@@ -1552,7 +1552,7 @@ def update_profile_image(request, obj_id):
        employee.save()
        messages.success(request, _("Profile image updated."))
    except Exception:
-        messages.error(request, _("No image chosen."))
+        messages.error(request, _("Upload a valid image."))
    response = render(
        request,
        "employee/profile/profile_modal.html",
@@ -1568,11 +1568,14 @@ def update_own_profile_image(request):
    """
    This method is used to update own profile image from profile view form
    """
-    employee = request.user.employee_get
-    img = request.FILES.get("employee_profile")
-    employee.employee_profile = img
-    employee.save()
-    messages.success(request, _("Profile image updated."))
+    try:
+        employee = request.user.employee_get
+        img = request.FILES.get("employee_profile")
+        employee.employee_profile = img
+        employee.save()
+        messages.success(request, _("Profile image updated."))
+    except Exception:
+        messages.error(request, _("Upload a valid image."))
    response = render(
        request,
        "employee/profile/profile_modal.html",
@@ -1655,7 +1658,7 @@ def employee_create_update_personal_info(request, obj_id=None):
    This method is used to update employee's personal info.
    """
    employee = Employee.objects.filter(id=obj_id).first()
-    form = EmployeeForm(request.POST, instance=employee)
+    form = EmployeeForm(request.POST, request.FILES, instance=employee)
    if form.is_valid():
        form.save()
        if obj_id is None: