fix: harden admin access, repair ORM joins, and add migration/tests

2026-04-01 14:59:54 +07:00
parent de592d140e
commit 16ab13e911
21 changed files with 1275 additions and 368 deletions
--- a/app/routers/sessions.py
+++ b/app/routers/sessions.py
@@ -341,6 +341,7 @@ async def get_session(
 async def create_session(
    request: SessionCreateRequest,
    db: AsyncSession = Depends(get_db),
+    website_id: int = Depends(get_website_id_from_header),
 ) -> SessionResponse:
    """
    Create a new session.
@@ -355,10 +356,19 @@ async def create_session(
    Raises:
        HTTPException: If tryout not found or session already exists
    """
+    if request.website_id != website_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=(
+                "Website mismatch between payload and X-Website-ID header: "
+                f"{request.website_id} != {website_id}"
+            ),
+        )
+
    # Verify tryout exists
    tryout_result = await db.execute(
        select(Tryout).where(
-            Tryout.website_id == request.website_id,
+            Tryout.website_id == website_id,
            Tryout.tryout_id == request.tryout_id,
        )
    )
@@ -367,7 +377,7 @@ async def create_session(
    if tryout is None:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
-            detail=f"Tryout {request.tryout_id} not found for website {request.website_id}",
+            detail=f"Tryout {request.tryout_id} not found for website {website_id}",
        )

    # Check if session already exists
@@ -386,7 +396,7 @@ async def create_session(
    session = Session(
        session_id=request.session_id,
        wp_user_id=request.wp_user_id,
-        website_id=request.website_id,
+        website_id=website_id,
        tryout_id=request.tryout_id,
        scoring_mode_used=request.scoring_mode,
        start_time=datetime.now(timezone.utc),
--- a/app/routers/tryouts.py
+++ b/app/routers/tryouts.py
@@ -10,7 +10,7 @@ Endpoints:
 from typing import List, Optional

 from fastapi import APIRouter, Depends, HTTPException, Header, status
-from sqlalchemy import select, func
+from sqlalchemy import Integer, cast, func, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload

@@ -292,7 +292,7 @@ async def get_calibration_status(
    stats_result = await db.execute(
        select(
            func.count().label("total_items"),
-            func.sum(func.cast(Item.calibrated, type_=func.INTEGER)).label("calibrated_items"),
+            func.sum(cast(Item.calibrated, Integer)).label("calibrated_items"),
            func.avg(Item.calibration_sample_size).label("avg_sample_size"),
        ).where(
            Item.website_id == website_id,