updates

2025-12-01 01:08:39 +02:00
parent 0fa2adeb19
commit 1a103a769f
234 changed files with 5513 additions and 283 deletions
--- a/Backend/src/bookings/routes/booking_routes.py
+++ b/Backend/src/bookings/routes/booking_routes.py
@@ -306,7 +306,9 @@ async def create_booking(booking_data: CreateBookingRequest, current_user: User=
        if payment_method in ['stripe', 'paypal']:
            initial_status = BookingStatus.pending
        
-        final_notes = notes or ''
+        # Sanitize user-provided notes to prevent XSS
+        from html import escape
+        final_notes = escape(notes) if notes else ''
        if promotion_code:
            promotion_note = f'Promotion Code: {promotion_code}'
            final_notes = f'{promotion_note}\n{final_notes}'.strip() if final_notes else promotion_note
@@ -507,23 +509,36 @@ async def create_booking(booking_data: CreateBookingRequest, current_user: User=
        return success_response(data={'booking': booking_dict}, message=message)
    except HTTPException:
        if 'transaction' in locals():
-            transaction.rollback()
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        raise
    except IntegrityError as e:
-        transaction.rollback()
+        if 'transaction' in locals():
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        logger.error(f'Database integrity error during booking creation: {str(e)}')
        raise HTTPException(status_code=409, detail='Booking conflict detected. Please try again.')
    except Exception as e:
        if 'transaction' in locals():
-            transaction.rollback()
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        logger.error(f'Error creating booking: {str(e)}', exc_info=True)
        import logging
        import traceback
        logger = logging.getLogger(__name__)
        logger.error(f'Error creating booking (payment_method: {payment_method}): {str(e)}')
        logger.error(f'Traceback: {traceback.format_exc()}')
-        db.rollback()
-        raise HTTPException(status_code=500, detail=str(e))
+        try:
+            db.rollback()
+        except Exception:
+            pass
+        raise HTTPException(status_code=500, detail='An error occurred while creating the booking. Please try again.')

@router.get('/{id}')
 async def get_booking_by_id(id: int, request: Request, current_user: User=Depends(get_current_user), db: Session=Depends(get_db)):
@@ -772,7 +787,9 @@ async def update_booking(id: int, booking_data: UpdateBookingRequest, current_us
            booking.num_guests = booking_data.guest_count
        
        if booking_data.notes is not None:
-            booking.special_requests = booking_data.notes
+            # Sanitize user-provided notes to prevent XSS
+            from html import escape
+            booking.special_requests = escape(booking_data.notes)
        
        # Restrict staff from modifying booking prices (only admin can)
        if booking_data.total_price is not None:
@@ -1060,7 +1077,9 @@ async def admin_create_booking(booking_data: AdminCreateBookingRequest, current_
        except ValueError:
            initial_status = BookingStatus.confirmed
        
-        final_notes = notes or ''
+        # Sanitize user-provided notes to prevent XSS
+        from html import escape
+        final_notes = escape(notes) if notes else ''
        if promotion_code:
            promotion_note = f'Promotion Code: {promotion_code}'
            final_notes = f'{promotion_note}\n{final_notes}'.strip() if final_notes else promotion_note
@@ -1320,15 +1339,24 @@ async def admin_create_booking(booking_data: AdminCreateBookingRequest, current_
        )
    except HTTPException:
        if 'transaction' in locals():
-            transaction.rollback()
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        raise
    except IntegrityError as e:
        if 'transaction' in locals():
-            transaction.rollback()
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        logger.error(f'Database integrity error during admin booking creation: {str(e)}')
        raise HTTPException(status_code=409, detail='Booking conflict detected. Please try again.')
    except Exception as e:
        if 'transaction' in locals():
-            transaction.rollback()
+            try:
+                transaction.rollback()
+            except Exception:
+                pass
        logger.error(f'Error creating booking (admin/staff): {str(e)}', exc_info=True)
-        raise HTTPException(status_code=500, detail='An error occurred while creating the booking')
+        raise HTTPException(status_code=500, detail='An error occurred while creating the booking. Please try again.')