[#1885] Changed document admin to be readonly

[Bartvaderkin]

task: https://taiga.maykinmedia.nl/project/open-inwoner/task/1885

In the pentest you could upload here, but this is user content so no need to create/edit it through the admin.

Fields:

• document.file -> frontend widget only allows settings.UPLOAD_FILE_TYPES
• action.file -> frontend widget only allows settings.UPLOAD_FILE_TYPES
• message.file -> frontend widget only allows settings.UPLOAD_FILE_TYPES
• siteconfig.theme_stylesheet -> .css extension validation
• CaseUploadForm.files -> configurable extension validation in admin
• ProductFile.file -> filer already has validation: https://github.com/django-cms/django-filer/blob/master/filer/validation.py#L30
• PlanTemplate.file -> filer already has validation: https://github.com/django-cms/django-filer/blob/master/filer/validation.py#L30
• QuestionnaireStepFile.file -> filer already has validation: https://github.com/django-cms/django-filer/blob/master/filer/validation.py#L30

[codecov-commenter]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (ba38b08) 94.68% compared to head (cabff54) 94.79%.
Report is 14 commits behind head on develop.

Files	Patch %	Lines
src/open_inwoner/accounts/admin.py	77.77%	6 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #887      +/-   ##
===========================================
+ Coverage    94.68%   94.79%   +0.10%     
===========================================
  Files          831      857      +26     
  Lines        29275    30085     +810     
===========================================
+ Hits         27720    28519     +799     
- Misses        1555     1566      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[alextreme]

Note my remark: "This is to be corrected, the default document-file extensions from the Open Zaak configuration can be used as the default whitelist. This validation is to be added on a model-level, and other filefields in Open Inwoner can be checked and if necessary the same validation can be added to those filefields as well."

As Users can upload documents (via a plan) this will need validation of some kind. And the other FileFields will likely also require attention.

Too quick, didn't see the comment

[stevenbal]

@alextreme in the PR description I made a list of the file fields that I could find.

• The FilerFileField actually already has validation that blocks you from uploading .svg, .html or other files that can allow XSS.
• document.file, action.file and message.file all use settings.UPLOAD_FILE_TYPES in the frontend and the admins are readonly (added in this PR)
• siteconfig.theme_stylesheet: admin only and only allows .css
• CaseUploadForm.files: already checks the extensions based on the configured extensions in OpenZaakConfig

[Bartvaderkin]

@stevenbal See note in the diff.

[Bartvaderkin]

It is not very DRY to repeat the same list? You could assign then same:

readonly_fields = fields

Also even more robust and less manual configuration to use has_change_permission() instead of explicitly listing everything. For example, if a new field gets added we need to remember it has to be added here (twice!) instead of being readonly by default. It is also more correct to make the model as a whole readonly instead of manually marking all fields.

This goes for all the changes that do similar.

[alextreme]

The updated PR looks fine to me, retriggered the tests