Active Storage doesn't have validations yet.
We can restrict the accepted file types in the form:
<div class="field">
<%= f.label :deliverable %>
<%= f.file_field :deliverable, direct_upload: true,
accept: 'application/pdf,
application/zip,application/vnd.openxmlformats-officedocument.wordprocessingml.document' %>
</div>
And add a custom validation in the model:
class Item
has_one_attached :document
validate :correct_document_mime_type
private
def correct_document_mime_type
if document.attached? && !document.content_type.in?(%w(application/msword application/pdf))
errors.add(:document, 'Must be a PDF or a DOC file')
end
end
end
Here's a tough one I've had a client able to bypass content type security like the above with. Basically, they were able to upload a .png file with non-png file content:
I don't think content type(mime type) checking is good enough to securely validate files. @phlegx does that active_storage_validations gem do this level of content checking? Same question to @ConfusedVorlon with the gem they linked.
If not, does anyone have an idea of how to implement such a content check?