fix: harden admin access, repair ORM joins, and add migration/tests

2026-04-01 14:59:54 +07:00
parent de592d140e
commit 16ab13e911
21 changed files with 1275 additions and 368 deletions
--- a/app/models/session.py
+++ b/app/models/session.py
@@ -13,9 +13,11 @@ from sqlalchemy import (
    DateTime,
    Float,
    ForeignKey,
+    ForeignKeyConstraint,
    Index,
    Integer,
    String,
+    func,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship

@@ -82,7 +84,7 @@ class Session(Base):

    # Timestamps
    start_time: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default="NOW()"
+        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    end_time: Mapped[Union[datetime, None]] = mapped_column(
        DateTime(timezone=True), nullable=True, comment="Session end timestamp"
@@ -144,21 +146,27 @@ class Session(Base):

    # Timestamps
    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default="NOW()"
+        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        nullable=False,
-        server_default="NOW()",
-        onupdate="NOW()",
+        server_default=func.now(),
+        onupdate=func.now(),
    )

    # Relationships
    user: Mapped["User"] = relationship(
-        "User", back_populates="sessions", lazy="selectin"
+        "User",
+        back_populates="sessions",
+        lazy="selectin",
+        overlaps="tryout,sessions",
    )
    tryout: Mapped["Tryout"] = relationship(
-        "Tryout", back_populates="sessions", lazy="selectin"
+        "Tryout",
+        back_populates="sessions",
+        lazy="selectin",
+        overlaps="user",
    )
    user_answers: Mapped[list["UserAnswer"]] = relationship(
        "UserAnswer", back_populates="session", lazy="selectin", cascade="all, delete-orphan"
@@ -166,6 +174,20 @@ class Session(Base):

    # Constraints and indexes
    __table_args__ = (
+        ForeignKeyConstraint(
+            ["website_id", "tryout_id"],
+            ["tryouts.website_id", "tryouts.tryout_id"],
+            name="fk_sessions_tryout",
+            ondelete="CASCADE",
+            onupdate="CASCADE",
+        ),
+        ForeignKeyConstraint(
+            ["wp_user_id", "website_id"],
+            ["users.wp_user_id", "users.website_id"],
+            name="fk_sessions_user",
+            ondelete="CASCADE",
+            onupdate="CASCADE",
+        ),
        Index("ix_sessions_wp_user_id", "wp_user_id"),
        Index("ix_sessions_website_id", "website_id"),
        Index("ix_sessions_tryout_id", "tryout_id"),