Codebase hardening: 102 fixes across 35+ files

Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas: - Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker - Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes - Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic - Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe - Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support - Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping - Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing - Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 22:29:14 -06:00
parent 63b57a83ab
commit c80c66c2e5
58 changed files with 3363 additions and 1049 deletions
--- a/registered_user/serializers.py
+++ b/registered_user/serializers.py
@@ -2,6 +2,7 @@ from rest_framework import serializers
 from .models import RegisteredUser
 from django.contrib.auth.models import User
 from rest_framework.authtoken.models import Token
+from django.db import transaction


 class RegisteredUserSerializer(serializers.ModelSerializer):
@@ -28,25 +29,25 @@ class CreateRegisteredUserThroughUserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ('id', 'password', 'email', 'first_name', 'last_name')
-        write_only_fields = ('password',)
+        extra_kwargs = {'password': {'write_only': True}}
        read_only_fields = ('id',)

    def create(self, validated_data):
-        user = User.objects.create(
-            username=validated_data['email'],
-            email=validated_data['email'],
-            first_name=validated_data['first_name'],
-            last_name=validated_data['last_name']
-        )
+        with transaction.atomic():
+            user = User.objects.create(
+                username=validated_data['email'],
+                email=validated_data['email'],
+                first_name=validated_data['first_name'],
+                last_name=validated_data['last_name']
+            )

-        user.set_password(validated_data['password'])
-        user.save()
+            user.set_password(validated_data['password'])
+            user.save()

-        reg_user = RegisteredUser.objects.create(
-            phone_number=self.context.get("phone_number"),
-            user=user,
-            first_name=validated_data['first_name'],
-            last_name=validated_data['last_name']
-        )
-        Token.objects.create(user=user)
-        return reg_user
+            reg_user = RegisteredUser.objects.create(
+                user=user,
+                first_name=validated_data['first_name'],
+                last_name=validated_data['last_name']
+            )
+            Token.objects.create(user=user)
+            return reg_user