Codebase hardening: 102 fixes across 35+ files
Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas: - Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker - Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes - Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic - Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe - Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support - Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping - Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing - Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
169
workout/tasks.py
169
workout/tasks.py
@@ -1,12 +1,16 @@
|
||||
from celery import shared_task
|
||||
import json
|
||||
import os
|
||||
import logging
|
||||
from .models import *
|
||||
from .serializers import *
|
||||
from django.core.cache import cache
|
||||
from django.db import transaction
|
||||
from superset.models import Superset, SupersetExercise
|
||||
from exercise.models import Exercise
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@shared_task()
|
||||
def add_from_files_tasks():
|
||||
sample_urls = [{
|
||||
@@ -16,86 +20,111 @@ def add_from_files_tasks():
|
||||
"file": os.getcwd() + "/workout/cho_all_workouts.json",
|
||||
"user_id": 6
|
||||
}]
|
||||
|
||||
|
||||
for sample_url in sample_urls:
|
||||
with open(sample_url["file"]) as user_file:
|
||||
file_contents = user_file.read()
|
||||
parsed_json = json.loads(file_contents)
|
||||
|
||||
|
||||
# Fix #7: wrap in try/except so DoesNotExist doesn't crash Celery task
|
||||
try:
|
||||
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"])
|
||||
except RegisteredUser.DoesNotExist:
|
||||
logger.error("RegisteredUser with id=%s does not exist, skipping file %s",
|
||||
sample_url["user_id"], sample_url["file"])
|
||||
continue
|
||||
|
||||
for item in parsed_json:
|
||||
workout_name = item["name"]
|
||||
workout_description = item["description"]
|
||||
workout_created = item["created"]
|
||||
|
||||
workout_obj = Workout.objects.create(
|
||||
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"]),
|
||||
description = workout_description,
|
||||
name = workout_name,
|
||||
created_at = workout_created
|
||||
)
|
||||
|
||||
workout_obj.save()
|
||||
workout_obj.created_at = workout_created
|
||||
workout_obj.save(update_fields=['created_at'])
|
||||
workout_total_time = 0
|
||||
|
||||
supersets = item["supersets"]
|
||||
superset_order = 1
|
||||
for superset in supersets:
|
||||
superset_name = superset["name"]
|
||||
superset_rounds = superset["rounds"]
|
||||
|
||||
superset_obj = Superset.objects.create(
|
||||
workout=workout_obj,
|
||||
name=superset_name,
|
||||
rounds=superset_rounds,
|
||||
order=superset_order
|
||||
)
|
||||
|
||||
superset_obj.save()
|
||||
|
||||
superset_order += 1
|
||||
|
||||
exercises = superset["exercises"]
|
||||
exercise_order = 1
|
||||
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
side = exercise["side"]
|
||||
name = exercise["name"]
|
||||
|
||||
duration = exercise["duration"]
|
||||
reps = exercise["reps"]
|
||||
side = exercise["side"]
|
||||
|
||||
exercise_obj = None
|
||||
if len(side) > 0:
|
||||
exercise_obj = Exercise.objects.get(name=name, side=side)
|
||||
else:
|
||||
exercise_obj = Exercise.objects.get(name=name, side="")
|
||||
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset_obj,
|
||||
exercise=exercise_obj,
|
||||
order=exercise_order
|
||||
# Fix #11: wrap bulk operations in transaction.atomic()
|
||||
try:
|
||||
with transaction.atomic():
|
||||
workout_obj = Workout.objects.create(
|
||||
registered_user = registered_user,
|
||||
description = workout_description,
|
||||
name = workout_name,
|
||||
created_at = workout_created
|
||||
)
|
||||
|
||||
if reps != 0:
|
||||
supersetExercise.reps = reps
|
||||
superset_total_time += reps * exercise_obj.estimated_rep_duration
|
||||
if reps == 0 and duration != 0:
|
||||
supersetExercise.duration = duration
|
||||
superset_total_time += exercise["duration"]
|
||||
supersetExercise.save()
|
||||
|
||||
exercise_order += 1
|
||||
# Fix #18: removed first redundant save() after create()
|
||||
# Need the second save to override auto_now_add on created_at
|
||||
workout_obj.created_at = workout_created
|
||||
workout_obj.save(update_fields=['created_at'])
|
||||
workout_total_time = 0
|
||||
|
||||
superset_obj.estimated_time = superset_total_time
|
||||
superset_obj.save()
|
||||
supersets = item["supersets"]
|
||||
superset_order = 1
|
||||
for superset in supersets:
|
||||
superset_name = superset["name"]
|
||||
superset_rounds = superset["rounds"]
|
||||
|
||||
workout_total_time += (superset_total_time * superset_rounds)
|
||||
|
||||
workout_obj.estimated_time = workout_total_time
|
||||
workout_obj.save()
|
||||
|
||||
cache.delete('all_workouts')
|
||||
superset_obj = Superset.objects.create(
|
||||
workout=workout_obj,
|
||||
name=superset_name,
|
||||
rounds=superset_rounds,
|
||||
order=superset_order
|
||||
)
|
||||
# Fix #18: removed redundant save() right after create()
|
||||
|
||||
superset_order += 1
|
||||
|
||||
exercises = superset["exercises"]
|
||||
exercise_order = 1
|
||||
|
||||
superset_total_time = 0
|
||||
for exercise in exercises:
|
||||
side = exercise["side"]
|
||||
name = exercise["name"]
|
||||
|
||||
duration = exercise["duration"]
|
||||
reps = exercise["reps"]
|
||||
side = exercise["side"]
|
||||
|
||||
# Fix #7: wrap Exercise.objects.get in try/except
|
||||
try:
|
||||
exercise_obj = None
|
||||
if len(side) > 0:
|
||||
exercise_obj = Exercise.objects.get(name=name, side=side)
|
||||
else:
|
||||
exercise_obj = Exercise.objects.get(name=name, side="")
|
||||
except Exercise.DoesNotExist:
|
||||
logger.error("Exercise '%s' (side='%s') does not exist, skipping",
|
||||
name, side)
|
||||
exercise_order += 1
|
||||
continue
|
||||
|
||||
supersetExercise = SupersetExercise.objects.create(
|
||||
superset=superset_obj,
|
||||
exercise=exercise_obj,
|
||||
order=exercise_order
|
||||
)
|
||||
|
||||
if reps != 0:
|
||||
supersetExercise.reps = reps
|
||||
# Fix #4: None multiplication risk
|
||||
superset_total_time += reps * (exercise_obj.estimated_rep_duration or 3.0)
|
||||
if reps == 0 and duration != 0:
|
||||
supersetExercise.duration = duration
|
||||
superset_total_time += exercise["duration"]
|
||||
supersetExercise.save()
|
||||
|
||||
exercise_order += 1
|
||||
|
||||
superset_obj.estimated_time = superset_total_time
|
||||
superset_obj.save()
|
||||
|
||||
workout_total_time += (superset_total_time * superset_rounds)
|
||||
|
||||
workout_obj.estimated_time = workout_total_time
|
||||
workout_obj.save()
|
||||
except Exception:
|
||||
logger.exception("Failed to import workout '%s' from %s",
|
||||
workout_name, sample_url["file"])
|
||||
continue
|
||||
|
||||
# Invalidate per-user cache keys for all imported users
|
||||
for sample_url in sample_urls:
|
||||
cache.delete('all_workouts_user_' + str(sample_url["user_id"]))
|
||||
|
||||
Reference in New Issue
Block a user