diff --git a/.DS_Store b/.DS_Store
new file mode 100755
index 0000000000000000000000000000000000000000..c94171ef775f8dfbac7ea6ed40af6f87cef4032e
Binary files /dev/null and b/.DS_Store differ
diff --git a/core/migrations/0002_auto_20191012_2215.py b/core/migrations/0002_auto_20191012_2215.py
new file mode 100644
index 0000000000000000000000000000000000000000..fdd7a86a203bec3421ef8008ad89959bfb1d965a
--- /dev/null
+++ b/core/migrations/0002_auto_20191012_2215.py
@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.17 on 2019-10-12 15:15
+from __future__ import unicode_literals
+
+import core.models.accounts
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='student',
+            name='photo',
+            field=models.FileField(blank=True, null=True, upload_to=core.models.accounts.get_student_photo_file_path, validators=[django.core.validators.FileExtensionValidator([b'jpg', b'jpeg', b'png'])]),
+        ),
+        migrations.AlterField(
+            model_name='student',
+            name='resume',
+            field=models.FileField(blank=True, null=True, upload_to=core.models.accounts.get_student_resume_file_path, validators=[django.core.validators.FileExtensionValidator([b'pdf'])]),
+        ),
+    ]
diff --git a/core/migrations/0003_merge_20191012_2251.py b/core/migrations/0003_merge_20191012_2251.py
new file mode 100644
index 0000000000000000000000000000000000000000..413b589e98374c4a93fe75201b6d3a2a19b2a987
--- /dev/null
+++ b/core/migrations/0003_merge_20191012_2251.py
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.17 on 2019-10-12 15:51
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0002_auto_20191012_2215'),
+        ('core', '0002_vacancy_benefits'),
+    ]
+
+    operations = [
+    ]
diff --git a/core/models/accounts.py b/core/models/accounts.py
old mode 100755
new mode 100644
index b299a712ae168a49ce26302e2da8578a77a2c219..2aeee60e60f64703f9a0662407aea2414bf81555
--- a/core/models/accounts.py
+++ b/core/models/accounts.py
@@ -4,7 +4,7 @@ import uuid
 from datetime import date
 from django.utils import timezone
 from django.contrib.auth.models import User
-from django.core.validators import MinValueValidator, MaxValueValidator, RegexValidator
+from django.core.validators import MinValueValidator, MaxValueValidator, RegexValidator, FileExtensionValidator
 from django.db import models
 
 from core.lib.validators import validate_document_file_extension, validate_image_file_extension, validate_npm
@@ -69,7 +69,7 @@ class Student(models.Model):
     updated = models.DateTimeField(auto_now=True)
     user = models.OneToOneField(User)
     npm = models.IntegerField(validators=[validate_npm], unique=True)
-    resume = models.FileField(upload_to=get_student_resume_file_path, null=True, blank=True, validators=[validate_document_file_extension])
+    resume = models.FileField(upload_to=get_student_resume_file_path, null=True, blank=True, validators=[FileExtensionValidator(['pdf'])])
     sertifikat = models.FileField(upload_to=get_student_sertifikat_file_path, null=True, blank=True, validators=[validate_document_file_extension])
     phone_number = models.CharField(max_length=100, blank=True, db_index=True, null=True, validators=[RegexValidator(r'^0\d{1,11}$')])
     gender = models.CharField(max_length=30, blank=True, null=True)
@@ -81,8 +81,8 @@ class Student(models.Model):
     major = models.CharField(max_length=30, blank=True, null=True)
     batch = models.CharField(max_length=4, blank=True, null=True)
     show_transcript = models.BooleanField(default=False)
+    photo = models.FileField(upload_to=get_student_photo_file_path, null=True, blank=True, validators=[FileExtensionValidator(['jpg', 'jpeg', 'png'])]) 
     self_description = models.CharField(max_length=500, blank=True, db_index=True, null=True)
-    photo = models.FileField(upload_to=get_student_photo_file_path, null=True, blank=True, validators=[validate_image_file_extension])
     portfolio_link = models.URLField(blank=True, null=True)
     linkedin_url = models.URLField(max_length=200,blank=True, null=True)
     hackerrank_url = models.URLField(max_length=200,blank=True, null=True)
diff --git a/core/tests/test_accounts.py b/core/tests/test_accounts.py
index f55730744c9e63f6bcdc80dbba8ca22ef54423b3..6f74af3d037e32237d66be9f2d15a5c0940aa9fc 100644
--- a/core/tests/test_accounts.py
+++ b/core/tests/test_accounts.py
@@ -4,6 +4,7 @@ from rest_framework import status
 from rest_framework.test import APIClient, APITestCase
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
+from StringIO import StringIO
 from core.models.accounts import Company, Supervisor, Student, get_current_age
 
 
@@ -146,7 +147,7 @@ class ProfileUpdateTests(APITestCase):
                 "angkatan": "2017"
             }]
         }, status_code=200)
-        print("Hello World!")
+        
         url = '/api/login/'
         response = self.client.post(url, {'username': 'dummy.mahasiswa', 'password': 'lalala', 'login-type': 'sso-ui'},
                                     format='json')
@@ -250,6 +251,41 @@ class ProfileUpdateTests(APITestCase):
         self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
         self.assertEqual(response.data.get('intro'), 'Saya tertarik dengan dunia front-end development')
 
+    @requests_mock.Mocker()
+    def test_student_profile_update_filetype_validation(self, m):
+        m.get('https://akun.cs.ui.ac.id/oauth/token/verify/?client_id=X3zNkFmepkdA47ASNMDZRX3Z9gqSU1Lwywu5WepG', json={"username": 'dummy.mahasiswa', "role": 'mahasiswa', "identity_number": '1234567890'}, status_code=200)
+        m.post('https://api.cs.ui.ac.id/authentication/ldap/v2/', json={
+            "username": "dummy.mahasiswa",
+            "nama": "Dummy Mahasiswa",
+            "state": 1,
+            "kode_org": "01.00.12.01:mahasiswa",
+            "kodeidentitas": "1234567890",
+            "nama_role": "mahasiswa"
+        }, status_code=200)
+        m.get('https://api.cs.ui.ac.id/siakngcs/mahasiswa/1234567890?client_id=X3zNkFmepkdA47ASNMDZRX3Z9gqSU1Lwywu5WepG', json={
+            "kota_lahir": "kota_kota",
+            "tgl_lahir": "2017-12-31",
+            "program": [{
+                "nm_org": "Ilmu Informasi",
+                "angkatan": "2017"
+            }]
+        }, status_code=200)
+
+        url = '/api/login/'
+        response = self.client.post(url, {'username': 'dummy.mahasiswa', 'password': 'lalala', 'login-type': 'sso-ui'},
+                                    format='json')
+        student_id = response.data.get('student').get('id')
+
+        url = '/api/students/' + str(student_id) + '/profile/'
+        imgfile = StringIO('JPG\x01\x00\x01\x00\x80\x01\x00\x00\x00\x00ccc,\x00'
+                     '\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;')
+        imgfile.name = 'test_img_file.jpg'
+        response = self.client.patch(url, {'photo': imgfile}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
+
+        imgfile.name = 'test_img_file.pdf'
+        response = self.client.patch(url, {'photo': imgfile}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         url = '/api/students/' + str(student_id) + "/profile/"
         data = self._create_test_file_pdf('./assets/img/UI.png')
         response = self.client.patch(url, data, format='multipart')