Read only submission report content

[robinmolen]

Closes open-formulieren/security-issues#34

Changes

The submission report content is now read-only in the admin

Checklist

Check off the items that are completed or not relevant.

• Impact on features

  • Checked copying a form
  • Checked import/export of a form
  • Config checks in the configuration overview admin page
  • Problem detection in the admin email digest is handled

• Release management

  • I have labelled the PR as "needs-backport" accordingly

• I have updated the translations assets (you do NOT need to provide translations)

  • Ran ./bin/makemessages_js.sh
  • Ran ./bin/compilemessages_js.sh

• Dockerfile/scripts

  • Updated the Dockerfile with the necessary scripts from the ./bin folder

• Commit hygiene

  • Commit messages refer to the relevant Github issue
  • Commit messages explain the "why" of change, not the how

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.74%. Comparing base (a1a1b00) to head (8973645).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5100   +/-   ##
=======================================
  Coverage   96.74%   96.74%           
=======================================
  Files         771      771           
  Lines       26636    26638    +2     
  Branches     3467     3467           
=======================================
+ Hits        25770    25772    +2     
  Misses        605      605           
  Partials      261      261           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sergei-maertens]

Additionally I'd configure the PrivateMediaMixin so that the files are not downloaded with inline directives in the Content-Disposition header. I think you should be able to get there with:

• https://django-privates.readthedocs.io/en/latest/reference.html#privates.admin.PrivateMediaMixin.get_private_media_view_options to pass django-sendfile2 options to the underlying view. Should be achievable with the private_media_view_options attribute on the admin class.
• passing attachment=True to https://django-sendfile2.readthedocs.io/en/latest/django_sendfile.utils.html#django_sendfile.utils.sendfile

The sendfile options are consumed here: https://github.com/sergei-maertens/django-privates/blob/27c7391ef82479f5d99fb6542647ab999b3ebd2a/privates/views.py#L38

[sergei-maertens]

why do you specify these explicitly? by default all model fields are used iirc. I'd expect this not to be necessary.