rene
1ff66a7083
PYDANTIC max_length (38 Routen, ~400 Field-Constraints): Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.). Pragmatische Limits: - Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000 - Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100 - Hund-Name/Rasse: 80 · Hund-Bio: 2000 Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py, notes.py, auth.py, profile.py. Manuelle len()-Checks in profile, chat, ki entfernt (jetzt durch Field abgedeckt). PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail): - test_security.py: require_owner (Places GET/PATCH/DELETE mit Fremduser → 403), JWT-Blacklist (Logout invalidiert Token), Login-Lockout (5 Fehlversuche → 429 + Retry-After Header) - test_race.py: Invoice-Counter (20 parallele Threads, alle unique), Founder-Number (atomare Vergabe, voll bei 100) - test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text 50k → 422 (verifiziert Pydantic max_length-Sweep) A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast): - #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44 - dog-profile Wrapped-Slider Prev/Next 40→44 - forum-Lightbox Close 40→44 - --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS) - --c-text-muted Dark: #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS) - Branding-Farben unangetastet
124 lines
4.8 KiB
Python
124 lines
4.8 KiB
Python
"""BAN YARO — Bewertungssystem (Ratings)"""
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
from pydantic import BaseModel, Field
|
|
from typing import Optional
|
|
from database import db
|
|
from auth import get_current_user
|
|
|
|
router = APIRouter()
|
|
|
|
VALID_TYPES = {'walk', 'sitting', 'place', 'route'}
|
|
|
|
# Tabelle → bewertung + anz_bewertungen aktualisieren
|
|
TABLE_MAP = {
|
|
'walk': 'walks',
|
|
'sitting': 'sitters',
|
|
'place': 'places',
|
|
'route': 'routes',
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# Schemas
|
|
# ------------------------------------------------------------------
|
|
class RatingCreate(BaseModel):
|
|
target_type: str = Field(..., max_length=50)
|
|
target_id: int
|
|
stars: int
|
|
kommentar: Optional[str] = Field(None, max_length=5000)
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# POST /api/ratings — Bewertung abgeben oder aktualisieren
|
|
# ------------------------------------------------------------------
|
|
@router.post("", status_code=200)
|
|
async def upsert_rating(data: RatingCreate, user=Depends(get_current_user)):
|
|
if data.target_type not in VALID_TYPES:
|
|
raise HTTPException(400, f"Ungültiger Typ. Erlaubt: {', '.join(VALID_TYPES)}")
|
|
if not (1 <= data.stars <= 5):
|
|
raise HTTPException(400, "Sterne müssen zwischen 1 und 5 liegen.")
|
|
if data.kommentar and len(data.kommentar) > 200:
|
|
raise HTTPException(400, "Kommentar darf maximal 200 Zeichen lang sein.")
|
|
|
|
table = TABLE_MAP[data.target_type]
|
|
kommentar = data.kommentar.strip() if data.kommentar else None
|
|
|
|
with db() as conn:
|
|
# Prüfen ob Zielobjekt existiert
|
|
row = conn.execute(f"SELECT id FROM {table} WHERE id=?", (data.target_id,)).fetchone()
|
|
if not row:
|
|
raise HTTPException(404, "Objekt nicht gefunden.")
|
|
|
|
# Upsert
|
|
conn.execute("""
|
|
INSERT INTO ratings (user_id, target_type, target_id, stars, kommentar)
|
|
VALUES (?, ?, ?, ?, ?)
|
|
ON CONFLICT(user_id, target_type, target_id)
|
|
DO UPDATE SET stars=excluded.stars, kommentar=excluded.kommentar, created_at=datetime('now')
|
|
""", (user['id'], data.target_type, data.target_id, data.stars, kommentar))
|
|
|
|
# Durchschnitt berechnen und Zieltabelle aktualisieren
|
|
agg = conn.execute("""
|
|
SELECT AVG(CAST(stars AS REAL)) AS avg_stars, COUNT(*) AS cnt
|
|
FROM ratings
|
|
WHERE target_type=? AND target_id=?
|
|
""", (data.target_type, data.target_id)).fetchone()
|
|
|
|
conn.execute(
|
|
f"UPDATE {table} SET bewertung=?, anz_bewertungen=? WHERE id=?",
|
|
(round(agg['avg_stars'], 2), agg['cnt'], data.target_id)
|
|
)
|
|
|
|
return {"bewertung": round(agg['avg_stars'], 2), "anz_bewertungen": agg['cnt']}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# GET /api/ratings/{type}/{id} — Bewertungen für ein Objekt laden
|
|
# WICHTIG: Feste Route vor {param} in main.py registrieren
|
|
# ------------------------------------------------------------------
|
|
@router.get("/{target_type}/{target_id}")
|
|
async def get_ratings(target_type: str, target_id: int):
|
|
if target_type not in VALID_TYPES:
|
|
raise HTTPException(400, f"Ungültiger Typ. Erlaubt: {', '.join(VALID_TYPES)}")
|
|
|
|
with db() as conn:
|
|
rows = conn.execute("""
|
|
SELECT r.id, r.stars, r.kommentar, r.created_at,
|
|
u.name AS user_name
|
|
FROM ratings r
|
|
JOIN users u ON u.id = r.user_id
|
|
WHERE r.target_type=? AND r.target_id=?
|
|
ORDER BY r.created_at DESC
|
|
""", (target_type, target_id)).fetchall()
|
|
|
|
agg = conn.execute("""
|
|
SELECT AVG(CAST(stars AS REAL)) AS avg_stars, COUNT(*) AS cnt
|
|
FROM ratings WHERE target_type=? AND target_id=?
|
|
""", (target_type, target_id)).fetchone()
|
|
|
|
return {
|
|
"bewertung": round(agg['avg_stars'], 2) if agg['avg_stars'] else 0,
|
|
"anz_bewertungen": agg['cnt'],
|
|
"ratings": [dict(r) for r in rows],
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# GET /api/ratings/me/{type}/{id} — Eigene Bewertung für ein Objekt
|
|
# WICHTIG: Diese Route muss VOR /{target_type}/{target_id} stehen!
|
|
# ------------------------------------------------------------------
|
|
@router.get("/me/{target_type}/{target_id}")
|
|
async def get_my_rating(target_type: str, target_id: int, user=Depends(get_current_user)):
|
|
if target_type not in VALID_TYPES:
|
|
raise HTTPException(400, f"Ungültiger Typ. Erlaubt: {', '.join(VALID_TYPES)}")
|
|
|
|
with db() as conn:
|
|
row = conn.execute("""
|
|
SELECT stars, kommentar FROM ratings
|
|
WHERE user_id=? AND target_type=? AND target_id=?
|
|
""", (user['id'], target_type, target_id)).fetchone()
|
|
|
|
if not row:
|
|
return {"stars": None, "kommentar": None}
|
|
return dict(row)
|