From f50d800710f78d21cc8ba1bd529dc85ab246c331 Mon Sep 17 00:00:00 2001
From: Wes Appler <wes@opentech.fund>
Date: Tue, 26 May 2026 13:25:01 -0400
Subject: [PATCH] Added upload (and debug) to whitelisted URLs, fixed tests

---
 hypha/apply/users/middleware.py            | 4 ++++
 hypha/apply/users/tests/test_middleware.py | 7 +++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/hypha/apply/users/middleware.py b/hypha/apply/users/middleware.py
index e632226ce4..6f2c7ef876 100644
--- a/hypha/apply/users/middleware.py
+++ b/hypha/apply/users/middleware.py
@@ -19,8 +19,12 @@
     "/logout/",
     "/account/",
     "/apply/submissions/success/",
+    "/upload/upload/",
 ]
 
+if settings.DEBUG:
+    TWO_FACTOR_EXEMPTED_PATH_PREFIXES.append("/__debug__/")
+
 
 def get_page_path(wagtail_page):
     _, _, page_path = wagtail_page.get_url_parts()
diff --git a/hypha/apply/users/tests/test_middleware.py b/hypha/apply/users/tests/test_middleware.py
index 1488bd7188..1b35a3d299 100644
--- a/hypha/apply/users/tests/test_middleware.py
+++ b/hypha/apply/users/tests/test_middleware.py
@@ -41,8 +41,11 @@ def test_unverified_user_can_access_allowed_urls(self):
             if "success" in path:
                 submission = ApplicationSubmissionFactory()
                 path = str(path) + f"{submission.id}/"
-            if "logout" in path:
+                response = self.client.get(path, follow=True)
+            elif "upload" in path:
+                response = self.client.post(path, HTTP_TUS_RESUMABLE=True)
+            elif "logout" in path:
                 response = self.client.post(path, follow=True)
             else:
                 response = self.client.get(path, follow=True)
-            self.assertEqual(response.status_code, 200)
+            self.assertIn(response.status_code, [200, 201])