[#72] Add backend validation for file component

[Viicos]

Partly fixes #72, #4222. I don't know if it should also validate more fields in the submitted values for files?

• SDK: [open-formulieren/open-forms#4222] Fix max files upload limit  open-forms-sdk#680

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.13%. Comparing base (c19b3c7) to head (f13bd39).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4227      +/-   ##
==========================================
+ Coverage   96.12%   96.13%   +0.01%     
==========================================
  Files         730      730              
  Lines       23522    23546      +24     
  Branches     2759     2762       +3     
==========================================
+ Hits        22611    22637      +26     
+ Misses        645      643       -2     
  Partials      266      266              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sergei-maertens]

Had some time to think about this PR.

This does not go far enough - the nested DictField that expects anything does not at all provide proper input validation. We either implement validation for a component entirely or not all, so please extend this to cover all the validations.

Additionally, I'm wondering how much of the file validation that is currently happening in other places (mime type, extensions, virus check...) can be moved here. I'd like to concentrate that in a single place instead of smearing it out over the entire codebase.

[Viicos]

mime type, extensions, virus check...

From what I saw when implementing this, these checks are done during the creation of the temporary file upload, which is done as soon as a file is added in the fileupload component widget. So moving this here might require some refactoring

[sergei-maertens]

mime type, extensions, virus check...

From what I saw when implementing this, these checks are done during the creation of the temporary file upload, which is done as soon as a file is added in the fileupload component widget. So moving this here might require some refactoring

Some of them can be moved, some can't - e.g. the virus check and mime type check are fine to keep with the temp upload, but the checks for file types (extensions) for example should be moved.

The "problem" with the temporary uploads is that we have no trusted input pointing to the responsible component for that upload, so we can only perform generic checks there. But once we have the values & the component (so when building the serializer field and running validation), we are able to resolve the (temporary?) uploads belonging to this component and can run the rest of the validation.

[sergei-maertens]

As mentioned on Slack, I'd relate this PR to #72 instead :)

[sergei-maertens]

I'm also missing the integration tests that show the frontend validation and backend input blocking are aligned.

[Viicos]

So that the match statement correctly exhausts all possible cases

[sergei-maertens]

TIL

[Viicos]

That's a pyright only thing by the way, mypy will still understand it as a tuple of ints

[sergei-maertens]

BEFORE we merge this, I want to manually click through it as a final check :)

[sergei-maertens]

Seems fine, I created some weird situations where the config of the component is changed after the files have been uploaded/attached and it's all working intuitively.