Codebase hardening: 102 fixes across 35+ files
Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas: - Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker - Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes - Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic - Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe - Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support - Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping - Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing - Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -30,10 +30,14 @@ def create_all_exercise_list_for_workout(workout):
|
||||
data["audio_queues"] = audio_queues
|
||||
all_superset_exercise.append(data)
|
||||
|
||||
supersets = Superset.objects.filter(workout=workout).order_by('order')
|
||||
# Fix #17: N+1 - add prefetch_related to avoid per-superset queries
|
||||
supersets = Superset.objects.filter(workout=workout).order_by('order').prefetch_related(
|
||||
'supersetexercise_set__exercise'
|
||||
)
|
||||
order = 2
|
||||
for superset_count, superset in enumerate(supersets):
|
||||
supersetExercises = SupersetExercise.objects.filter(superset=superset).order_by('order')
|
||||
# Use prefetched data instead of re-querying (N+1 fix)
|
||||
supersetExercises = sorted(superset.supersetexercise_set.all(), key=lambda se: se.order)
|
||||
for x in range(superset.rounds):
|
||||
for exercise_idx, exercise in enumerate(supersetExercises):
|
||||
exercise.order = order
|
||||
@@ -68,7 +72,9 @@ def create_all_exercise_list_for_workout(workout):
|
||||
|
||||
elif len(supersets) > superset_count+1:
|
||||
next_superset = supersets[superset_count+1]
|
||||
next_supersetExercises = SupersetExercise.objects.filter(superset=next_superset).order_by('order').first()
|
||||
# Use prefetched data instead of re-querying
|
||||
next_superset_exercises = sorted(next_superset.supersetexercise_set.all(), key=lambda se: se.order)
|
||||
next_supersetExercises = next_superset_exercises[0] if next_superset_exercises else None
|
||||
|
||||
next_up_data = {
|
||||
"audio_url": next_supersetExercises.exercise.audio_url().lower(),
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
from django.db import models
|
||||
from django.conf import settings
|
||||
from exercise.models import *
|
||||
from registered_user.models import RegisteredUser
|
||||
|
||||
@@ -21,7 +22,7 @@ class Workout(models.Model):
|
||||
RegisteredUser,
|
||||
on_delete=models.CASCADE
|
||||
)
|
||||
estimated_time = models.FloatField(max_length=255, blank=True, null=True)
|
||||
estimated_time = models.FloatField(blank=True, null=True)
|
||||
|
||||
def __str__(self):
|
||||
return str(self.id) + ": " + self.name + " - " + (self.description or "") + " - by: " + str(self.registered_user.first_name) + " - on: " + str(self.created_at)
|
||||
@@ -39,9 +40,9 @@ class WorkoutExercise(models.Model):
|
||||
on_delete=models.CASCADE,
|
||||
related_name='workout_exercise_exercise'
|
||||
)
|
||||
weight = models.IntegerField(null=True, blank=True, max_length=4)
|
||||
reps = models.IntegerField(null=True, blank=True, max_length=4)
|
||||
duration = models.IntegerField(null=True, blank=True, max_length=4)
|
||||
weight = models.IntegerField(null=True, blank=True)
|
||||
reps = models.IntegerField(null=True, blank=True)
|
||||
duration = models.IntegerField(null=True, blank=True)
|
||||
|
||||
def __str__(self):
|
||||
return self.workout.name + " : " + self.exercise.name
|
||||
|
||||
@@ -34,11 +34,13 @@ class CompleteWorkoutSerializer(serializers.ModelSerializer):
|
||||
difficulty=validated_data['difficulty'],
|
||||
total_time=validated_data['total_time'],
|
||||
workout_start_time=validated_data['workout_start_time'],
|
||||
notes=validated_data['notes']
|
||||
# Fix #5: KeyError 'notes' - use .get() with default
|
||||
notes=validated_data.get('notes', '')
|
||||
)
|
||||
if "health_kit_workout_uuid" in validated_data:
|
||||
completed_workout.workout_uuid = validated_data['health_kit_workout_uuid']
|
||||
completed_workout.save()
|
||||
# Fix #6: wrong attribute name - model field is health_kit_workout_uuid
|
||||
completed_workout.health_kit_workout_uuid = validated_data['health_kit_workout_uuid']
|
||||
completed_workout.save()
|
||||
return completed_workout
|
||||
|
||||
class WorkoutSerializer(serializers.ModelSerializer):
|
||||
@@ -53,25 +55,48 @@ class WorkoutSerializer(serializers.ModelSerializer):
|
||||
fields = '__all__'
|
||||
# depth = 1
|
||||
|
||||
def get_muscles(self, obj):
|
||||
def get_muscles(self, obj):
|
||||
# Fix #16: Use prefetched data when available, fall back to query
|
||||
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
|
||||
exercise_ids = []
|
||||
for superset in obj.superset_set.all():
|
||||
for se in superset.supersetexercise_set.all():
|
||||
exercise_ids.append(se.exercise_id)
|
||||
if not exercise_ids:
|
||||
return []
|
||||
muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercise_ids).values_list('muscle__name', flat=True)
|
||||
return list(set(muscles_names))
|
||||
superset_ids = Superset.objects.filter(workout=obj).values_list('id')
|
||||
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
|
||||
muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercise_ids).values_list('muscle__name', flat=True)
|
||||
return list(set(muscles_names))
|
||||
|
||||
# muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercises).values_list('muscle__name', flat=True)
|
||||
# return list(set(muscles_names))
|
||||
|
||||
def get_equipment(self, obj):
|
||||
|
||||
def get_equipment(self, obj):
|
||||
# Fix #16: Use prefetched data when available, fall back to query
|
||||
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
|
||||
exercise_ids = []
|
||||
for superset in obj.superset_set.all():
|
||||
for se in superset.supersetexercise_set.all():
|
||||
exercise_ids.append(se.exercise_id)
|
||||
if not exercise_ids:
|
||||
return []
|
||||
equipment_names = WorkoutEquipment.objects.filter(exercise__id__in=exercise_ids).values_list('equipment__name', flat=True)
|
||||
return list(set(equipment_names))
|
||||
superset_ids = Superset.objects.filter(workout=obj).values_list('id')
|
||||
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
|
||||
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
|
||||
equipment_names = WorkoutEquipment.objects.filter(exercise__id__in=exercise_ids).values_list('equipment__name', flat=True)
|
||||
return list(set(equipment_names))
|
||||
|
||||
def get_exercise_count(self, obj):
|
||||
|
||||
def get_exercise_count(self, obj):
|
||||
# Fix #16: Use prefetched data when available, fall back to query
|
||||
returnValue = 0
|
||||
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
|
||||
for superset in obj.superset_set.all():
|
||||
exercise_count = len(superset.supersetexercise_set.all())
|
||||
returnValue += (superset.rounds * exercise_count)
|
||||
return returnValue
|
||||
supersets = Superset.objects.filter(workout=obj)
|
||||
for superset in supersets:
|
||||
for superset in supersets:
|
||||
exercise_count = SupersetExercise.objects.filter(superset=superset).count()
|
||||
returnValue += (superset.rounds * exercise_count)
|
||||
return returnValue
|
||||
@@ -106,8 +131,7 @@ class WorkoutDetailSerializer(serializers.ModelSerializer):
|
||||
return data
|
||||
|
||||
def get_registered_user(self, obj):
|
||||
objs = RegisteredUser.objects.get(pk=obj.registered_user.pk)
|
||||
data = GetRegisteredUserSerializer(objs, many=False).data
|
||||
data = GetRegisteredUserSerializer(obj.registered_user, many=False).data
|
||||
return data
|
||||
|
||||
class GetCompleteWorkoutSerializer(serializers.ModelSerializer):
|
||||
@@ -142,5 +166,5 @@ class POSTPlannedWorkoutSerializer(serializers.ModelSerializer):
|
||||
workout=validated_data['workout'],
|
||||
on_date=validated_data['on_date']
|
||||
)
|
||||
planned_workout.save()
|
||||
# Fix #18: removed redundant save() right after create()
|
||||
return planned_workout
|
||||
169
workout/tasks.py
169
workout/tasks.py
@@ -1,12 +1,16 @@
|
||||
from celery import shared_task
|
||||
import json
|
||||
import os
|
||||
import logging
|
||||
from .models import *
|
||||
from .serializers import *
|
||||
from django.core.cache import cache
|
||||
from django.db import transaction
|
||||
from superset.models import Superset, SupersetExercise
|
||||
from exercise.models import Exercise
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@shared_task()
|
||||
def add_from_files_tasks():
|
||||
sample_urls = [{
|
||||
@@ -16,86 +20,111 @@ def add_from_files_tasks():
|
||||
"file": os.getcwd() + "/workout/cho_all_workouts.json",
|
||||
"user_id": 6
|
||||
}]
|
||||
|
||||
|
||||
for sample_url in sample_urls:
|
||||
with open(sample_url["file"]) as user_file:
|
||||
file_contents = user_file.read()
|
||||
parsed_json = json.loads(file_contents)
|
||||
|
||||
|
||||
# Fix #7: wrap in try/except so DoesNotExist doesn't crash Celery task
|
||||
try:
|
||||
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"])
|
||||
except RegisteredUser.DoesNotExist:
|
||||
logger.error("RegisteredUser with id=%s does not exist, skipping file %s",
|
||||
sample_url["user_id"], sample_url["file"])
|
||||
continue
|
||||
|
||||
for item in parsed_json:
|
||||
workout_name = item["name"]
|
||||
workout_description = item["description"]
|
||||
workout_created = item["created"]
|
||||
|
||||
workout_obj = Workout.objects.create(
|
||||
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"]),
|
||||
description = workout_description,
|
||||
name = workout_name,
|
||||
created_at = workout_created
|
||||
)
|
||||
|
||||
workout_obj.save()
|
||||
workout_obj.created_at = workout_created
|
||||
workout_obj.save(update_fields=['created_at'])
|
||||
workout_total_time = 0
|
||||
|
||||
supersets = item["supersets"]
|
||||
superset_order = 1
|
||||
for superset in supersets:
|
||||
superset_name = superset["name"]
|
||||
superset_rounds = superset["rounds"]
|
||||
|
||||
superset_obj = Superset.objects.create(
|
||||
workout=workout_obj,
|
||||
name=superset_name,
|
||||
rounds=superset_rounds,
|
||||
order=superset_order
|
||||
)
|
||||
|
||||
superset_obj.save()
|
||||
|
||||
superset_order += 1
|
||||
|
||||
exercises = superset["exercises"]
|
||||
exercise_order = 1
|
||||
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
side = exercise["side"]
|
||||
name = exercise["name"]
|
||||
|
||||
duration = exercise["duration"]
|
||||
reps = exercise["reps"]
|
||||
side = exercise["side"]
|
||||
|
||||
exercise_obj = None
|
||||
if len(side) > 0:
|
||||
exercise_obj = Exercise.objects.get(name=name, side=side)
|
||||
else:
|
||||
exercise_obj = Exercise.objects.get(name=name, side="")
|
||||
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset_obj,
|
||||
exercise=exercise_obj,
|
||||
order=exercise_order
|
||||
# Fix #11: wrap bulk operations in transaction.atomic()
|
||||
try:
|
||||
with transaction.atomic():
|
||||
workout_obj = Workout.objects.create(
|
||||
registered_user = registered_user,
|
||||
description = workout_description,
|
||||
name = workout_name,
|
||||
created_at = workout_created
|
||||
)
|
||||
|
||||
if reps != 0:
|
||||
supersetExercise.reps = reps
|
||||
superset_total_time += reps * exercise_obj.estimated_rep_duration
|
||||
if reps == 0 and duration != 0:
|
||||
supersetExercise.duration = duration
|
||||
superset_total_time += exercise["duration"]
|
||||
supersetExercise.save()
|
||||
|
||||
exercise_order += 1
|
||||
# Fix #18: removed first redundant save() after create()
|
||||
# Need the second save to override auto_now_add on created_at
|
||||
workout_obj.created_at = workout_created
|
||||
workout_obj.save(update_fields=['created_at'])
|
||||
workout_total_time = 0
|
||||
|
||||
superset_obj.estimated_time = superset_total_time
|
||||
superset_obj.save()
|
||||
supersets = item["supersets"]
|
||||
superset_order = 1
|
||||
for superset in supersets:
|
||||
superset_name = superset["name"]
|
||||
superset_rounds = superset["rounds"]
|
||||
|
||||
workout_total_time += (superset_total_time * superset_rounds)
|
||||
|
||||
workout_obj.estimated_time = workout_total_time
|
||||
workout_obj.save()
|
||||
|
||||
cache.delete('all_workouts')
|
||||
superset_obj = Superset.objects.create(
|
||||
workout=workout_obj,
|
||||
name=superset_name,
|
||||
rounds=superset_rounds,
|
||||
order=superset_order
|
||||
)
|
||||
# Fix #18: removed redundant save() right after create()
|
||||
|
||||
superset_order += 1
|
||||
|
||||
exercises = superset["exercises"]
|
||||
exercise_order = 1
|
||||
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
side = exercise["side"]
|
||||
name = exercise["name"]
|
||||
|
||||
duration = exercise["duration"]
|
||||
reps = exercise["reps"]
|
||||
side = exercise["side"]
|
||||
|
||||
# Fix #7: wrap Exercise.objects.get in try/except
|
||||
try:
|
||||
exercise_obj = None
|
||||
if len(side) > 0:
|
||||
exercise_obj = Exercise.objects.get(name=name, side=side)
|
||||
else:
|
||||
exercise_obj = Exercise.objects.get(name=name, side="")
|
||||
except Exercise.DoesNotExist:
|
||||
logger.error("Exercise '%s' (side='%s') does not exist, skipping",
|
||||
name, side)
|
||||
exercise_order += 1
|
||||
continue
|
||||
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset_obj,
|
||||
exercise=exercise_obj,
|
||||
order=exercise_order
|
||||
)
|
||||
|
||||
if reps != 0:
|
||||
supersetExercise.reps = reps
|
||||
# Fix #4: None multiplication risk
|
||||
superset_total_time += reps * (exercise_obj.estimated_rep_duration or 3.0)
|
||||
if reps == 0 and duration != 0:
|
||||
supersetExercise.duration = duration
|
||||
superset_total_time += exercise["duration"]
|
||||
supersetExercise.save()
|
||||
|
||||
exercise_order += 1
|
||||
|
||||
superset_obj.estimated_time = superset_total_time
|
||||
superset_obj.save()
|
||||
|
||||
workout_total_time += (superset_total_time * superset_rounds)
|
||||
|
||||
workout_obj.estimated_time = workout_total_time
|
||||
workout_obj.save()
|
||||
except Exception:
|
||||
logger.exception("Failed to import workout '%s' from %s",
|
||||
workout_name, sample_url["file"])
|
||||
continue
|
||||
|
||||
# Invalidate per-user cache keys for all imported users
|
||||
for sample_url in sample_urls:
|
||||
cache.delete('all_workouts_user_' + str(sample_url["user_id"]))
|
||||
|
||||
@@ -11,5 +11,5 @@ urlpatterns = [
|
||||
path('planned_workouts/', views.workouts_planned_by_logged_in_user, name='planned workout for user'),
|
||||
path('plan_workout/', views.plan_workout, name='plan workout'),
|
||||
|
||||
path('add_from_files/', views.add_from_files, name='plan workout'),
|
||||
path('add_from_files/', views.add_from_files, name='add_from_files'),
|
||||
]
|
||||
190
workout/views.py
190
workout/views.py
@@ -3,17 +3,18 @@ from .serializers import *
|
||||
|
||||
from django.shortcuts import render
|
||||
from rest_framework.decorators import api_view
|
||||
from rest_framework.decorators import api_view
|
||||
from rest_framework.response import Response
|
||||
from rest_framework import status
|
||||
from django.contrib.auth.models import User
|
||||
from django.contrib.auth import authenticate
|
||||
from rest_framework.authentication import TokenAuthentication
|
||||
from rest_framework.permissions import IsAuthenticated
|
||||
from rest_framework.permissions import IsAuthenticated, IsAdminUser
|
||||
from rest_framework.decorators import authentication_classes
|
||||
from rest_framework.decorators import permission_classes
|
||||
from django.shortcuts import get_object_or_404
|
||||
from datetime import datetime, timedelta
|
||||
from django.utils import timezone
|
||||
from datetime import timedelta
|
||||
from django.db import transaction
|
||||
|
||||
from django.core.cache import cache
|
||||
from .tasks import add_from_files_tasks
|
||||
@@ -22,14 +23,25 @@ from .tasks import add_from_files_tasks
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def all_workouts(request):
|
||||
if 'all_workouts' in cache:
|
||||
data = cache.get('all_workouts')
|
||||
# Fix #13: IDOR - filter workouts by the authenticated user
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
|
||||
cache_name = 'all_workouts_user_' + str(registered_user.pk)
|
||||
if cache_name in cache:
|
||||
data = cache.get(cache_name)
|
||||
return Response(data=data, status=status.HTTP_200_OK)
|
||||
|
||||
users = Workout.objects.all()
|
||||
serializer = WorkoutSerializer(users, many=True)
|
||||
|
||||
# Fix #16: N+1 - add prefetch_related for exercises, muscles, and equipment
|
||||
workouts = Workout.objects.filter(
|
||||
registered_user=registered_user
|
||||
).prefetch_related(
|
||||
'superset_set__supersetexercise_set__exercise',
|
||||
'superset_set__supersetexercise_set__exercise__muscles',
|
||||
'superset_set__supersetexercise_set__exercise__equipment_required_list',
|
||||
)
|
||||
serializer = WorkoutSerializer(workouts, many=True)
|
||||
data = serializer.data
|
||||
cache.set('all_workouts', data, timeout=None)
|
||||
cache.set(cache_name, data, timeout=None)
|
||||
return Response(data=data, status=status.HTTP_200_OK)
|
||||
|
||||
|
||||
@@ -37,12 +49,27 @@ def all_workouts(request):
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def workout_details(request, workout_id):
|
||||
cache_name = "wk"+str(workout_id)
|
||||
# Fix #14: IDOR - verify the workout belongs to the requesting user
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
|
||||
# Include user in cache key to prevent IDOR via cached data
|
||||
cache_name = "wk" + str(workout_id) + "_user_" + str(registered_user.pk)
|
||||
if cache_name in cache:
|
||||
data = cache.get(cache_name)
|
||||
return Response(data=data, status=status.HTTP_200_OK)
|
||||
|
||||
workout = Workout.objects.get(pk=workout_id)
|
||||
|
||||
# Fix #1: get_object_or_404 instead of Workout.objects.get
|
||||
# Fix #14: also filter by registered_user for ownership check
|
||||
# Fix #16: N+1 - add prefetch_related for exercises, muscles, and equipment
|
||||
workout = get_object_or_404(
|
||||
Workout.objects.prefetch_related(
|
||||
'superset_set__supersetexercise_set__exercise',
|
||||
'superset_set__supersetexercise_set__exercise__muscles',
|
||||
'superset_set__supersetexercise_set__exercise__equipment_required_list',
|
||||
),
|
||||
pk=workout_id,
|
||||
registered_user=registered_user
|
||||
)
|
||||
serializer = WorkoutDetailSerializer(workout, many=False)
|
||||
data = serializer.data
|
||||
cache.set(cache_name, data, timeout=300)
|
||||
@@ -52,29 +79,32 @@ def workout_details(request, workout_id):
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def complete_workout(request):
|
||||
registered_user = RegisteredUser.objects.get(user=request.user)
|
||||
# Fix #1: get_object_or_404
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
serializer = CompleteWorkoutSerializer(data=request.data, context = {"registered_user":registered_user.pk})
|
||||
if serializer.is_valid():
|
||||
serializer.save()
|
||||
return Response(serializer.data, status=status.HTTP_201_CREATED)
|
||||
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
|
||||
# Fix #2: validation errors return 400 not 500
|
||||
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
||||
|
||||
@api_view(['GET'])
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def workouts_completed_by_logged_in_user(request):
|
||||
registered_user = RegisteredUser.objects.get(user=request.user)
|
||||
# Fix #1: get_object_or_404
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
workouts = CompletedWorkout.objects.filter(registered_user=registered_user)
|
||||
serializer = GetCompleteWorkoutSerializer(workouts, many=True)
|
||||
return Response(serializer.data, status=status.HTTP_201_CREATED)
|
||||
# Fix #3: GET returns 200 not 201
|
||||
return Response(serializer.data, status=status.HTTP_200_OK)
|
||||
|
||||
@api_view(['POST'])
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def add_workout(request):
|
||||
registered_user = RegisteredUser.objects.get(user=request.user)
|
||||
if registered_user is None:
|
||||
return Response(status=status.HTTP_400_BAD_REQUEST)
|
||||
# Fix #1: get_object_or_404
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
|
||||
# exercise_data = dict(request.POST)["exercise_data"]
|
||||
exercise_data = request.data["supersets"]
|
||||
@@ -87,67 +117,75 @@ def add_workout(request):
|
||||
serializer = POSTCompleteWorkoutSerializer(data=request.data)
|
||||
|
||||
if serializer.is_valid():
|
||||
workout = serializer.save(registered_user=registered_user)
|
||||
workout.save()
|
||||
# Fix #10: wrap creation logic in transaction.atomic()
|
||||
with transaction.atomic():
|
||||
workout = serializer.save(registered_user=registered_user)
|
||||
# Fix #18: removed redundant save() right after create()
|
||||
|
||||
workout_total_time = 0
|
||||
for superset in exercise_data:
|
||||
name = superset["name"]
|
||||
rounds = superset["rounds"]
|
||||
exercises = superset["exercises"]
|
||||
superset_order = superset["order"]
|
||||
|
||||
superset = Superset.objects.create(
|
||||
workout=workout,
|
||||
name=name,
|
||||
rounds=rounds,
|
||||
order=superset_order
|
||||
)
|
||||
superset.save()
|
||||
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
exercise_id = exercise["id"]
|
||||
exercise_obj = Exercise.objects.get(pk=exercise_id)
|
||||
order = exercise["order"]
|
||||
workout_total_time = 0
|
||||
for superset in exercise_data:
|
||||
name = superset["name"]
|
||||
rounds = superset["rounds"]
|
||||
exercises = superset["exercises"]
|
||||
superset_order = superset["order"]
|
||||
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset,
|
||||
exercise=exercise_obj,
|
||||
order=order
|
||||
superset = Superset.objects.create(
|
||||
workout=workout,
|
||||
name=name,
|
||||
rounds=rounds,
|
||||
order=superset_order
|
||||
)
|
||||
|
||||
if "weight" in exercise:
|
||||
supersetExercise.weight = exercise["weight"]
|
||||
if "reps" in exercise:
|
||||
supersetExercise.reps = exercise["reps"]
|
||||
superset_total_time += exercise["reps"] * exercise_obj.estimated_rep_duration
|
||||
if "duration" in exercise:
|
||||
supersetExercise.duration = exercise["duration"]
|
||||
superset_total_time += exercise["duration"]
|
||||
# Fix #18: removed redundant save() right after create()
|
||||
|
||||
supersetExercise.save()
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
exercise_id = exercise["id"]
|
||||
# Fix #1: get_object_or_404
|
||||
exercise_obj = get_object_or_404(Exercise, pk=exercise_id)
|
||||
order = exercise["order"]
|
||||
|
||||
superset.estimated_time = superset_total_time
|
||||
superset.save()
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset,
|
||||
exercise=exercise_obj,
|
||||
order=order
|
||||
)
|
||||
|
||||
workout_total_time += (superset_total_time * rounds)
|
||||
if "weight" in exercise:
|
||||
supersetExercise.weight = exercise["weight"]
|
||||
if "reps" in exercise:
|
||||
supersetExercise.reps = exercise["reps"]
|
||||
# Fix #4: None multiplication risk
|
||||
superset_total_time += exercise["reps"] * (exercise_obj.estimated_rep_duration or 3.0)
|
||||
if "duration" in exercise:
|
||||
supersetExercise.duration = exercise["duration"]
|
||||
superset_total_time += exercise["duration"]
|
||||
|
||||
superset_order += 1
|
||||
workout.estimated_time = workout_total_time
|
||||
workout.save()
|
||||
|
||||
cache.delete('all_workouts')
|
||||
supersetExercise.save()
|
||||
|
||||
superset.estimated_time = superset_total_time
|
||||
superset.save()
|
||||
|
||||
workout_total_time += (superset_total_time * rounds)
|
||||
|
||||
superset_order += 1
|
||||
workout.estimated_time = workout_total_time
|
||||
workout.save()
|
||||
|
||||
# Fix #19: invalidate per-user cache key (matches all_workouts view)
|
||||
cache.delete('all_workouts_user_' + str(registered_user.pk))
|
||||
|
||||
return Response(serializer.data, status=status.HTTP_201_CREATED)
|
||||
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
|
||||
# Fix #2: validation errors return 400 not 500
|
||||
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
||||
|
||||
@api_view(['GET'])
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def workouts_planned_by_logged_in_user(request):
|
||||
registered_user = RegisteredUser.objects.get(user=request.user)
|
||||
workouts = PlannedWorkout.objects.filter(registered_user=registered_user, on_date__gte=datetime.now()- timedelta(days=1))
|
||||
# Fix #1: get_object_or_404
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
# Fix #12: timezone.now() instead of datetime.now()
|
||||
workouts = PlannedWorkout.objects.filter(registered_user=registered_user, on_date__gte=timezone.now()- timedelta(days=1))
|
||||
serializer = PlannedWorkoutSerializer(workouts, many=True)
|
||||
return Response(serializer.data, status=status.HTTP_200_OK)
|
||||
|
||||
@@ -155,19 +193,23 @@ def workouts_planned_by_logged_in_user(request):
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
def plan_workout(request):
|
||||
registered_user = RegisteredUser.objects.get(user=request.user)
|
||||
serializer = POSTPlannedWorkoutSerializer(data=request.data,
|
||||
# Fix #1: get_object_or_404
|
||||
registered_user = get_object_or_404(RegisteredUser, user=request.user)
|
||||
serializer = POSTPlannedWorkoutSerializer(data=request.data,
|
||||
context = {"registered_user":registered_user.pk})
|
||||
|
||||
|
||||
if serializer.is_valid():
|
||||
serializer.save()
|
||||
return Response(serializer.data, status=status.HTTP_201_CREATED)
|
||||
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
|
||||
# Fix #2: validation errors return 400 not 500
|
||||
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
|
||||
|
||||
@api_view(['GET'])
|
||||
# Fix #15: This GET endpoint triggers data mutation (importing from files).
|
||||
# Changed to POST. This should be admin-only.
|
||||
@api_view(['POST'])
|
||||
@authentication_classes([TokenAuthentication])
|
||||
@permission_classes([IsAuthenticated])
|
||||
@permission_classes([IsAdminUser])
|
||||
def add_from_files(request):
|
||||
add_from_files_tasks.delay()
|
||||
cache.delete('all_workouts')
|
||||
return Response(status=status.HTTP_200_OK)
|
||||
# Cache invalidation is handled in the task after import completes
|
||||
return Response(status=status.HTTP_200_OK)
|
||||
|
||||
Reference in New Issue
Block a user