rene
1ff66a7083
PYDANTIC max_length (38 Routen, ~400 Field-Constraints): Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.). Pragmatische Limits: - Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000 - Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100 - Hund-Name/Rasse: 80 · Hund-Bio: 2000 Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py, notes.py, auth.py, profile.py. Manuelle len()-Checks in profile, chat, ki entfernt (jetzt durch Field abgedeckt). PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail): - test_security.py: require_owner (Places GET/PATCH/DELETE mit Fremduser → 403), JWT-Blacklist (Logout invalidiert Token), Login-Lockout (5 Fehlversuche → 429 + Retry-After Header) - test_race.py: Invoice-Counter (20 parallele Threads, alle unique), Founder-Number (atomare Vergabe, voll bei 100) - test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text 50k → 422 (verifiziert Pydantic max_length-Sweep) A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast): - #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44 - dog-profile Wrapped-Slider Prev/Next 40→44 - forum-Lightbox Close 40→44 - --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS) - --c-text-muted Dark: #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS) - Branding-Farben unangetastet
72 lines
2.9 KiB
Python
72 lines
2.9 KiB
Python
"""BAN YARO — Gasthund-Zugang (Sitter-Subscriptions)"""
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
from pydantic import BaseModel, Field
|
|
from database import db
|
|
from auth import get_current_user
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
class AccessCreate(BaseModel):
|
|
dog_id: int
|
|
sitter_id: int
|
|
valid_until: str = Field(..., max_length=32) # 'YYYY-MM-DD'
|
|
|
|
|
|
@router.post("", status_code=201)
|
|
async def grant_access(data: AccessCreate, user=Depends(get_current_user)):
|
|
"""Besitzer gewährt Sitter-Zugang zu seinem Hund."""
|
|
with db() as conn:
|
|
dog = conn.execute("SELECT id, user_id FROM dogs WHERE id=?", (data.dog_id,)).fetchone()
|
|
if not dog or dog["user_id"] != user["id"]:
|
|
raise HTTPException(403, "Nicht dein Hund.")
|
|
conn.execute("""
|
|
INSERT INTO sitting_subscriptions (dog_id, owner_id, sitter_id, valid_until)
|
|
VALUES (?, ?, ?, ?)
|
|
ON CONFLICT(dog_id, sitter_id) DO UPDATE SET valid_until=excluded.valid_until
|
|
""", (data.dog_id, user["id"], data.sitter_id, data.valid_until))
|
|
return {"ok": True}
|
|
|
|
|
|
@router.delete("/{sub_id}")
|
|
async def revoke_access(sub_id: int, user=Depends(get_current_user)):
|
|
"""Besitzer widerruft Zugang (oder Sitter meldet sich selbst ab)."""
|
|
with db() as conn:
|
|
row = conn.execute("SELECT * FROM sitting_subscriptions WHERE id=?", (sub_id,)).fetchone()
|
|
if not row:
|
|
raise HTTPException(404, "Nicht gefunden.")
|
|
if row["owner_id"] != user["id"] and row["sitter_id"] != user["id"]:
|
|
raise HTTPException(403, "Kein Zugriff.")
|
|
conn.execute("DELETE FROM sitting_subscriptions WHERE id=?", (sub_id,))
|
|
return {"ok": True}
|
|
|
|
|
|
@router.get("/my")
|
|
async def my_subscriptions(user=Depends(get_current_user)):
|
|
"""Gibt alle aktiven Gasthunde zurück (als Sitter oder Besitzer)."""
|
|
with db() as conn:
|
|
rows = conn.execute("""
|
|
SELECT ss.id, ss.dog_id, ss.valid_until,
|
|
d.name AS dog_name, d.foto_url, d.rasse,
|
|
d.foto_zoom, d.foto_offset_x, d.foto_offset_y,
|
|
u.name AS owner_name
|
|
FROM sitting_subscriptions ss
|
|
JOIN dogs d ON d.id = ss.dog_id
|
|
JOIN users u ON u.id = ss.owner_id
|
|
WHERE ss.sitter_id = ?
|
|
AND ss.valid_until >= date('now')
|
|
""", (user["id"],)).fetchall()
|
|
granted = conn.execute("""
|
|
SELECT ss.id, ss.dog_id, ss.valid_until,
|
|
d.name AS dog_name,
|
|
u.name AS sitter_name
|
|
FROM sitting_subscriptions ss
|
|
JOIN dogs d ON d.id = ss.dog_id
|
|
JOIN users u ON u.id = ss.sitter_id
|
|
WHERE ss.owner_id = ? AND ss.valid_until >= date('now')
|
|
""", (user["id"],)).fetchall()
|
|
return {
|
|
"as_sitter": [dict(r) for r in rows],
|
|
"as_owner": [dict(r) for r in granted],
|
|
}
|