admin/WerkoutAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Codebase hardening: 102 fixes across 35+ files

Browse Source 
Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas:

- Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker
- Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes
- Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic
- Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe
- Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support
- Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping
- Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing
- Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-02-27 22:29:14 -06:00
parent 63b57a83ab
commit c80c66c2e5
58 changed files with 3363 additions and 1049 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
registered_user/views.py
View File

@@ -11,6 +11,7 @@ from rest_framework.permissions import IsAuthenticated
from rest_framework.decorators import authentication_classes
from rest_framework.decorators import permission_classes
from django.shortcuts import get_object_or_404
from django.db import transaction
import json
@@ -22,31 +23,35 @@ def all_registered_users(request):
@api_view(['POST'])
@authentication_classes([])
def create_registered_user(request):
_serializer = CreateRegisteredUserSerializer(data=request.data)
if not _serializer.is_valid():
return Response(_serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
return Response(_serializer.errors, status=status.HTTP_400_BAD_REQUEST)
email = request.data["email"]
if User.objects.filter(email=email):
# Note: DB unique constraint on email is the real guard against race conditions
if User.objects.filter(email=email).exists():
return Response({"email": [ "Email in use" ] }, status=status.HTTP_409_CONFLICT)
serializer = CreateRegisteredUserThroughUserSerializer(data=request.data)
if serializer.is_valid():
new_registered_user = serializer.save()
with transaction.atomic():
new_registered_user = serializer.save()
serializer = RegisteredUserSerializer(new_registered_user, many=False)
token = Token.objects.get(user=new_registered_user.user).key
token = get_object_or_404(Token, user=new_registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['POST'])
@authentication_classes([])
def login_registered_user(request):
email = request.data.get("email", "").strip()
password = request.data.get("password", "")
@@ -69,31 +74,31 @@ def login_registered_user(request):
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
else:
return Response({"detail": "Invalid email or password"}, status=status.HTTP_404_NOT_FOUND)
return Response({"detail": "Invalid email or password"}, status=status.HTTP_401_UNAUTHORIZED)
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_registered_user(request):
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
email = request.data.get("email")
first_name = request.data.get("first_name")
last_name = request.data.get("last_name")
image = request.data.get("image")
email = request.POST.get("email")
first_name = request.POST.get("first_name")
last_name = request.POST.get("last_name")
image = request.POST.get("image")
registered_user.first_name = first_name
registered_user.last_name = last_name
registered_user.user.email = email
registered_user.image = image
registered_user.save()
registered_user.user.save()
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = Token.objects.get(user=registered_user.user).key
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
@@ -103,17 +108,17 @@ def update_registered_user(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_password(request):
current_password = request.POST.get("current_password")
new_password = request.POST.get("new_password")
current_password = request.data.get("current_password")
new_password = request.data.get("new_password")
user = request.user
success = user.check_password(current_password)
if success:
if success:
user.set_password(new_password)
user.save()
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = Token.objects.get(user=registered_user.user).key
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
@@ -124,7 +129,7 @@ def update_password(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def refresh(request):
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data