Add and correct form validation

src/shiftings/accounts/forms/user_form.py

@@ -1,9 +1,11 @@
-from typing import Any, Dict
+from typing import Any, Optional
 
 from django import forms
+from django.contrib.auth.password_validation import get_password_validators, validate_password
 from django.utils.translation import gettext_lazy as _
 
 from shiftings.accounts.models import User
+from shiftings.settings import AUTH_PASSWORD_VALIDATORS
 
 
 class UserCreateForm(forms.ModelForm):
@@ -26,11 +28,16 @@ def clean(self) -> Dict[str, Any]:
         password = cleaned_data['password']
         confirm_password = cleaned_data['confirm_password']
         if password != confirm_password:
-            raise forms.ValidationError(
-                _('Please enter matching passwords')
-            )
-        return cleaned_data
+            self.add_error('password', _('Please enter matching passwords'))
+            self.add_error('confirm_password', _('Please enter matching passwords'))
+
+        # validate password using Django's built-in validators
+        try:
+            validate_password(password, user=None, password_validators=get_password_validators(AUTH_PASSWORD_VALIDATORS))
+        except forms.ValidationError as e:
+            self.add_error('password', e)
 
+        return cleaned_data
 
 class UserUpdateForm(forms.ModelForm):
     class Meta:
@@ -47,3 +54,13 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
             self.fields['first_name'].disabled = True
             self.fields['last_name'].disabled = True
             self.fields['email'].disabled = True
+
+    def clean(self) -> Optional[dict[str, Any]]:
+        cleaned_data = super().clean()
+        if hasattr(self.instance, 'ldap_user'):
+            # if this is an ldap user, ensure that the fields are not changed
+            if (cleaned_data.get('first_name') != self.instance.first_name or
+                cleaned_data.get('last_name') != self.instance.last_name or
+                cleaned_data.get('email') != self.instance.email):
+                raise forms.ValidationError(_('Cannot change first name, last name or email for LDAP users.'))
+        return cleaned_data

src/shiftings/mail/forms/mail.py

@@ -1,6 +1,9 @@
+from typing import Any, Optional
+
 from django import forms
 from django.utils.translation import gettext_lazy as _
 
+from shiftings.mail.settings import MAX_ATTACHMENT_SIZE_MB, MAX_TOTAL_ATTACHMENT_SIZE_MB
 from shiftings.organizations.models import MembershipType, Organization
 from shiftings.shifts.models import ShiftType
 from shiftings.utils.fields.date_time import DateTimeFormField
@@ -14,6 +17,19 @@ class MailForm(forms.Form):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['attachments'].widget.attrs['multiple'] = True
+
+    def clean(self) -> dict[str, Any]:
+        cleaned_data = super().clean()
+        attachments = self.files.getlist('attachments')
+        for attachment in attachments:
+            if attachment.size > MAX_ATTACHMENT_SIZE_MB * 1024 * 1024: # Convert MB to bytes
+                self.add_error('attachments', _('Each attachment must be smaller than 10 MB.'))
+                break
+
+        if sum(attachment.size for attachment in attachments) > MAX_TOTAL_ATTACHMENT_SIZE_MB * 1024 * 1024:
+            self.add_error('attachments', _('Total attachment size must be smaller than 25 MB.'))
+
+        return cleaned_data
 
 
 class OrganizationMailForm(MailForm):
@@ -46,3 +62,11 @@ def __init__(self, organization: Organization, *args, **kwargs):
         self.organization = organization
 
         self.fields['shift_types'].queryset = organization.shift_types
+
+    def clean(self) -> Optional[dict[str, Any]]:
+        cleaned_data = super().clean()
+        start = cleaned_data.get('start')
+        end = cleaned_data.get('end')
+        if start and end and start > end:
+            raise forms.ValidationError(_('Start time must be before end time.'))
+        return cleaned_data

src/shiftings/mail/settings.py

@@ -0,0 +1,2 @@
+MAX_ATTACHMENT_SIZE_MB : int = 10
+MAX_TOTAL_ATTACHMENT_SIZE_MB : int = 25

src/shiftings/shifts/forms/shift.py

@@ -36,7 +36,7 @@ def clean(self) -> Dict[str, Any]:
         start = cleaned_data.get('start')
         end = cleaned_data.get('end')
         if start and end and start > end:
-            self.add_error('end', ValidationError(_('End time must be after start time')))
+            raise ValidationError(_('End time must be after start time'))
 
         ## TODO: raise form error if not valid, but first implement proper error display in template
         max_length = timedelta(minutes=settings.MAX_SHIFT_LENGTH_MINUTES)