From 3ffeb63afb78cc6def766f31ac2daa173336b943 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Wed, 9 Oct 2024 11:36:14 +0900
Subject: [PATCH] Enforce allowed filesize and type in extra var upload form

---
 modules/extravar/skins/default/assets/file_upload.js     | 9 +++++++++
 .../skins/default/form_types/file_upload.blade.php       | 9 +++++++++
 modules/file/file.model.php                              | 7 +++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/modules/extravar/skins/default/assets/file_upload.js b/modules/extravar/skins/default/assets/file_upload.js
index 24e1593e2..878ac15af 100644
--- a/modules/extravar/skins/default/assets/file_upload.js
+++ b/modules/extravar/skins/default/assets/file_upload.js
@@ -11,6 +11,15 @@
 		});
 		$('input.rx_ev_file').on('change', function() {
 			const container = $(this).parents('.ev_file_upload');
+			const max_size = parseInt($(this).data('allowedFilesize'), 10);
+			const file_count = this.files.length;
+			for (let i = 0; i < file_count; i++) {
+				if (max_size && this.files[i].size > max_size) {
+					alert($(this).data('msgFilesize'));
+					$(this).val('');
+					return;
+				}
+			}
 			container.find('input[type=hidden][name^=_delete_]').val('N');
 		});
 	});
diff --git a/modules/extravar/skins/default/form_types/file_upload.blade.php b/modules/extravar/skins/default/form_types/file_upload.blade.php
index 33640820e..8b8f0dfe0 100644
--- a/modules/extravar/skins/default/form_types/file_upload.blade.php
+++ b/modules/extravar/skins/default/form_types/file_upload.blade.php
@@ -16,10 +16,19 @@
 		@endif
 	@endif
 
+	@php
+		$file_config = FileModel::getUploadConfig($definition->module_srl);
+		$allowed_filetypes = strtr($file_config->allowed_filetypes ?? '', ['*.' => '.', ';' => ',']);
+		$allowed_filesize = ($file_config->allowed_filesize ?? 0) * 1024 * 1024;
+	@endphp
+
 	<div class="ev_file_input">
 		<input type="file" name="{{ $input_name }}"
 			id="{{ $input_id }}"|if="$input_id" class="file rx_ev_file"
 			style="{{ $definition->style }}"|if="$definition->style"
+			accept="{{ $allowed_filetypes }}"|if="$allowed_filetypes !== '' && $allowed_filetypes !== '*'"
+			data-allowed-filesize="{{ $allowed_filesize }}"
+			data-msg-filesize="{{ lang('file.msg_exceeds_limit_size') }}"
 			@required(toBool($definition->is_required) && !$value)
 			@disabled(toBool($definition->is_disabled))
 			@readonly(toBool($definition->is_readonly))
diff --git a/modules/file/file.model.php b/modules/file/file.model.php
index 67c44f418..947205301 100644
--- a/modules/file/file.model.php
+++ b/modules/file/file.model.php
@@ -472,9 +472,12 @@ class FileModel extends File
 	 *
 	 * @return object Returns a file configuration of current module. If user is admin, returns PHP's max file size and allow all file types.
 	 */
-	public static function getUploadConfig()
+	public static function getUploadConfig($module_srl = 0)
 	{
-		$module_srl = Context::get('module_srl') ?: (Context::get('current_module_info')->module_srl ?? 0);
+		if (!$module_srl)
+		{
+			$module_srl = Context::get('module_srl') ?: (Context::get('current_module_info')->module_srl ?? 0);
+		}
 		$config = self::getFileConfig($module_srl);
 		if (Rhymix\Framework\Session::isAdmin())
 		{