From 6b789121c5b2264410b475f66955ac3378c4f285 Mon Sep 17 00:00:00 2001
From: level09 <level09@gmail.com>
Date: Sat, 9 May 2026 11:22:19 +0300
Subject: [PATCH] fix(media-import): keep source=import signal alive across
 chunked uploads

PR #312 replaced the referrer-based import_upload detection with a form
field check. Dropzone drops its 'params' option on chunked POSTs, so
request.form.get('source') returns None on every chunk, import_upload is
False, and in S3 mode the chunk endpoint pushes uploads to S3 then
removes the local copy. ETL then has nothing to read locally and every
import fails with 'The filename given was either non existent or was a
directory'.

Move the signal to the URL query string. It rides along on every chunk
POST regardless of how Dropzone shapes the body, with the same security
posture as the form-body check (the admin role gate three lines down is
the actual access control).
---
 enferno/admin/views/media.py                    | 6 ++++--
 enferno/data_import/templates/media-import.html | 7 +++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/enferno/admin/views/media.py b/enferno/admin/views/media.py
index 22c5554ba..14af3e33b 100644
--- a/enferno/admin/views/media.py
+++ b/enferno/admin/views/media.py
@@ -130,8 +130,10 @@ def api_medias_chunk() -> Response:
     """
     file = request.files["file"]
 
-    # Check if upload is from the media import tool (Admin-only extended extensions)
-    import_upload = request.form.get("source") == "import"
+    # Check if upload is from the media import tool (Admin-only extended extensions).
+    # The source param lives in the query string because Dropzone drops `params`
+    # on chunked POSTs, so a form-body check returns None on every chunk.
+    import_upload = request.args.get("source") == "import"
     # validate file extensions based on user and source
     if import_upload:
         # uploads from media import tool
diff --git a/enferno/data_import/templates/media-import.html b/enferno/data_import/templates/media-import.html
index ccded6dc3..530407448 100644
--- a/enferno/data_import/templates/media-import.html
+++ b/enferno/data_import/templates/media-import.html
@@ -377,7 +377,9 @@
                 batch_id: '',
 
                 dzOpts: {
-                    url: '/admin/api/media/chunk',
+                    // source=import goes in the URL so it survives every chunk POST.
+                    // Dropzone's `params` option is dropped on chunked requests.
+                    url: '/admin/api/media/chunk?source=import',
                     // accept any file
                     acceptedFiles: document.querySelector('[data-allowed-media-types]').dataset.allowedMediaTypes,
                     addRemoveLinks: true,
@@ -388,9 +390,6 @@
                     thumbnailHeight: 80,
                     parallelUploads: 1,
                     maxFilesize: mediaUploadMaxFileSize,
-                    // Signals the chunk endpoint to apply the Admin-only
-                    // extended extension list (ETL_VID_EXT).
-                    params: { source: 'import' },
                 },