Do not permit to upload a GIF file via javascript

Gemfile

@@ -4,6 +4,7 @@ gem 'aasm'
 gem 'actiontext', git: 'https://github.com/kobaltz/actiontext.git', branch: 'archive', require: 'action_text' # Port of ActionText to Rails 5
 gem 'active_link_to' # Automatically set a class on active links
 gem 'active_model_serializers'
+gem 'active_storage_validations'
 gem 'activestorage-openstack'
 gem 'administrate'
 gem 'after_party'

Gemfile.lock

@@ -51,8 +51,10 @@ GEM
       activemodel (>= 4.1, < 6.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (5.2.4.1)
+    active_storage_validations (0.8.7)
-      activesupport (= 5.2.4.1)
+      rails (>= 5.2.0)
+    activejob (5.2.3)
+      activesupport (= 5.2.3)
       globalid (>= 0.3.6)
     activemodel (5.2.4.1)
       activesupport (= 5.2.4.1)
@@ -714,6 +716,7 @@ DEPENDENCIES
   actiontext!
   active_link_to
   active_model_serializers
+  active_storage_validations
   activestorage-openstack
   administrate
   after_party

app/controllers/admin/attestation_templates_controller.rb

@@ -40,9 +40,16 @@ class Admin::AttestationTemplatesController < AdminController
   end
 
   def preview
-    @attestation = (@procedure.attestation_template || AttestationTemplate.new).render_attributes_for(activated_attestation_params)
+    attestation = (@procedure.attestation_template || AttestationTemplate.new)
+    attestation.assign_attributes(activated_attestation_params)
 
-    render 'admin/attestation_templates/show', formats: [:pdf]
+    if attestation.valid?
+      @attestation = attestation.render_attributes_for(activated_attestation_params)
+
+      render 'admin/attestation_templates/show', formats: [:pdf]
+    else
+      flash.alert = attestation_template.errors.full_messages.join('<br>')
+    end
   end
 
   def delete_logo

app/models/attestation_template.rb

@@ -11,6 +11,9 @@ class AttestationTemplate < ApplicationRecord
 
   validates :footer, length: { maximum: 190 }
 
+  validates :logo, content_type: [:png, :jpg, :jpeg]
+  validates :signature, content_type: [:png, :jpg, :jpeg]
+
   DOSSIER_STATE = Dossier.states.fetch(:accepte)
 
   def attestation_for(dossier)

app/views/admin/attestation_templates/edit.html.haml

@@ -23,7 +23,7 @@
         = f.label :logo, "Logo de l'attestation"
         - if @attestation_template.logo.attached?
           = link_to 'Supprimer le logo', admin_procedure_attestation_template_logo_path(@procedure), method: :delete
-        = f.file_field :logo, accept: 'image/png, image/jpg, image/jpeg'
+        = f.file_field :logo, accept: 'image/png,image/jpg,image/jpeg'
         %p.help-block
           Fichier accepté : JPG / JPEG / PNG
           %br
@@ -87,3 +87,4 @@
       - else
         - save_data = @procedure.locked? ? { toggle: :tooltip, confirm: "Attention: les modifications n'affecteront pas les attestations déjà délivrées." } : nil
         %button.btn.btn-success{ data: save_data } Enregistrer
+

spec/controllers/admin/attestation_templates_controller_spec.rb

@@ -26,11 +26,12 @@ describe Admin::AttestationTemplatesController, type: :controller do
           procedure_id: procedure.id,
           attestation_template: upload_params
         }
+      procedure.reload
     end
 
     context 'with an interlaced png' do
       let(:upload_params) { { logo: interlaced_logo } }
-      it { expect(assigns(:attestation)[:logo].read).to eq(uninterlaced_logo.read) }
+      it { expect(procedure.attestation_template.logo.download).to eq(uninterlaced_logo.read) }
     end
 
     context 'if an attestation template does not exist on the procedure' do

spec/models/attestation_template_spec.rb

@@ -87,6 +87,25 @@ describe AttestationTemplate, type: :model do
     end
   end
 
+  describe 'invalidate attestation if images attachments are not valid' do
+    before do
+      @logo = Rack::Test::UploadedFile.new('spec/fixtures/files/french-flag.gif', 'image/gif')
+      @signature = Rack::Test::UploadedFile.new('spec/fixtures/files/beta-gouv.gif', 'image/gif')
+    end
+
+    after do
+      subject.destroy
+    end
+
+    let(:attestation_template) { AttestationTemplate.create(attributes) }
+    subject { attestation_template.dup }
+
+    context 'with an attestation which has gif files' do
+      let(:attributes) { { title: 't', body: 'b', footer: 'f', activated: true, logo: @logo, signature: @signature } }
+      it { is_expected.not_to be_valid }
+    end
+  end
+
   describe 'attestation_for' do
     let(:procedure) do
       create(:procedure,