New IMPORT_FORMATS setting does not prevent POST of incorrect type

[matthewhegarty]

Describe the bug

In PR #1606 we now have the ability to limit which formats can be imported. However this is a front end constraint only and you can still POST an undefined format.

To Reproduce

The test in the attached patch proves the issue. IMPORT_FORMATS are limited to 'csv' but you can POST a tsv. This format does not get processed correctly (fails with errors), however processing should not be allowed at all, otherwise it is a potential security issue.

Versions (please complete the following information):

• Django Import Export: dev
• Python 3.11
• Django 4.2

Expected behavior
I would expect to see an error message stating that the tsv format is not allowed.

Additional context

Apply attached patch with git apply post-incorrect-type.txt

post-incorrect-type.txt

use the attached books.txt
(but rename to books.tsv and put in tests/core/exports)

These changes are in a branch here

[matthewhegarty]

Going to close this... I don't think it is an issue.
I loaded the import page, then set IMPORT_EXPORT_FORMATS=[base_formats.CSV]
Then I tried to import an xlsx file and I got this error message, so I am confident it is working ok.

The test I added proves that you can send any file despite the format (i.e. you can send a tsv file with 'csv' format defined) but there is no reliable way to restrict that, and parsing fails with an error message as expected.