diff --git a/ansible/roles/ckan/files/patches/fix_detection_of_xlsx_mimetype.patch b/ansible/roles/ckan/files/patches/fix_detection_of_xlsx_mimetype.patch
new file mode 100644
index 000000000..fd35d1301
--- /dev/null
+++ b/ansible/roles/ckan/files/patches/fix_detection_of_xlsx_mimetype.patch
@@ -0,0 +1,13 @@
+diff --git a/ckan/lib/uploader.py b/ckan/lib/uploader.py
+index ec4a6dfd0..360ebfbe0 100644
+--- a/ckan/lib/uploader.py
++++ b/ckan/lib/uploader.py
+@@ -220,7 +220,7 @@ class Upload(object):
+         if not mimetypes and not types:
+             return
+ 
+-        actual = magic.from_buffer(self.upload_file.read(1024), mime=True)
++        actual = magic.from_buffer(self.upload_file.read(2048), mime=True)
+         self.upload_file.seek(0, os.SEEK_SET)
+         err = {self.file_field: [
+             "Unsupported upload type: {actual}".format(actual=actual)]}
diff --git a/ansible/roles/ckan/templates/ckan.ini.j2 b/ansible/roles/ckan/templates/ckan.ini.j2
index 8e0d0b995..6d09a3673 100644
--- a/ansible/roles/ckan/templates/ckan.ini.j2
+++ b/ansible/roles/ckan/templates/ckan.ini.j2
@@ -160,6 +160,10 @@ ckan.tracking_enabled = true
 
 ckan.max_resource_size = {{ ckan_max_resource_size }}
 
+ckan.upload.apply_permission.mimetypes = application/pdf image/png image/jpeg application/msword application/vnd.openxmlformats-officedocument.wordprocessingml.document application/vnd.ms-excel application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.ms-powerpoint application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.oasis.opendocument.text application/vnd.oasis.opendocument.spreadsheet text/plain
+ckan.upload.apply_permission.types = application image text
+
+
 [loggers]
 
 keys = root, ckan, ckanext
diff --git a/ansible/roles/ckan/vars/main.yml b/ansible/roles/ckan/vars/main.yml
index 7570fa9e9..e12231a41 100644
--- a/ansible/roles/ckan/vars/main.yml
+++ b/ansible/roles/ckan/vars/main.yml
@@ -33,6 +33,7 @@ ckan_patches:
   - { file: "email_attachment" }
   - { file: "fix_updating_resource_filesize" } # https://github.com/ckan/ckan/pull/7103
   - { file: "fix_resource_delete_auth" } # https://github.com/ckan/ckan/pull/7132
+  - { file: "fix_detection_of_xlsx_mimetype"} # https://github.com/ckan/ckan/pull/8088
 
 files_created_by_patches:
   - { file: '/usr/lib/ckan/default/src/ckan/ckan/lib/csrf_token.py'}
diff --git a/ckanext/ckanext-apply_permissions_for_service/ckanext/apply_permissions_for_service/views.py b/ckanext/ckanext-apply_permissions_for_service/ckanext/apply_permissions_for_service/views.py
index 11db38e84..92ec90e79 100644
--- a/ckanext/ckanext-apply_permissions_for_service/ckanext/apply_permissions_for_service/views.py
+++ b/ckanext/ckanext-apply_permissions_for_service/ckanext/apply_permissions_for_service/views.py
@@ -244,7 +244,11 @@ def settings_post(context, subsystem_id):
     if (data_dict.get('delivery_method') == 'file' and data_dict.get('file_url', None)):
         upload.update_data_dict(data_dict, 'file_url',
                                 'file', 'clear_upload')
-        upload.upload(max_size=uploader.get_max_resource_size())
+
+        try:
+            upload.upload(max_size=uploader.get_max_resource_size())
+        except toolkit.ValidationError as e:
+            return settings_get(context, subsystem_id, e.error_dict, values=data_dict)
 
         file_url = data_dict.get('file_url', '')
         if re.match('https?:', file_url) is None: