update

2025-12-05 22:12:32 +02:00
parent 13c91f95f4
commit 7667eb5eda
53 changed files with 3065 additions and 9257 deletions
--- a/Backend/src/rooms/routes/advanced_room_routes.py
+++ b/Backend/src/rooms/routes/advanced_room_routes.py
@@ -9,6 +9,7 @@ import hashlib
 from ...shared.config.database import get_db
 from ...shared.config.logging_config import get_logger
 from ...security.middleware.auth import get_current_user, authorize_roles
+from ...shared.utils.sanitization import sanitize_text
 from ...auth.models.user import User
 from ...auth.models.role import Role
 from ..models.room import Room, RoomStatus
@@ -246,12 +247,17 @@ async def create_maintenance_record(
        if maintenance_data.get('block_end'):
            block_end = datetime.fromisoformat(maintenance_data['block_end'].replace('Z', '+00:00'))
        
+        # Sanitize user input
+        sanitized_title = sanitize_text(maintenance_data.get('title', 'Maintenance'))
+        sanitized_description = sanitize_text(maintenance_data.get('description')) if maintenance_data.get('description') else None
+        sanitized_notes = sanitize_text(maintenance_data.get('notes')) if maintenance_data.get('notes') else None
+        
        maintenance = RoomMaintenance(
            room_id=maintenance_data['room_id'],
            maintenance_type=MaintenanceType(maintenance_data.get('maintenance_type', 'preventive')),
            status=MaintenanceStatus(maintenance_data.get('status', 'scheduled')),
-            title=maintenance_data.get('title', 'Maintenance'),
-            description=maintenance_data.get('description'),
+            title=sanitized_title,
+            description=sanitized_description,
            scheduled_start=scheduled_start,
            scheduled_end=scheduled_end,
            assigned_to=maintenance_data.get('assigned_to'),
@@ -261,7 +267,7 @@ async def create_maintenance_record(
            block_start=block_start,
            block_end=block_end,
            priority=maintenance_data.get('priority', 'medium'),
-            notes=maintenance_data.get('notes')
+            notes=sanitized_notes
        )
        
        # Update room status if blocking and maintenance is active
@@ -362,7 +368,7 @@ async def update_maintenance_record(
        if 'actual_end' in maintenance_data:
            maintenance.actual_end = datetime.fromisoformat(maintenance_data['actual_end'].replace('Z', '+00:00'))
        if 'completion_notes' in maintenance_data:
-            maintenance.completion_notes = maintenance_data['completion_notes']
+            maintenance.completion_notes = sanitize_text(maintenance_data['completion_notes']) if maintenance_data['completion_notes'] else None
        if 'actual_cost' in maintenance_data:
            maintenance.actual_cost = maintenance_data['actual_cost']
        
@@ -604,6 +610,9 @@ async def create_housekeeping_task(
        if is_housekeeping and not assigned_to:
            assigned_to = current_user.id
        
+        # Sanitize user input
+        sanitized_notes = sanitize_text(task_data.get('notes')) if task_data.get('notes') else None
+        
        task = HousekeepingTask(
            room_id=task_data['room_id'],
            booking_id=task_data.get('booking_id'),
@@ -613,7 +622,7 @@ async def create_housekeeping_task(
            assigned_to=assigned_to,
            created_by=current_user.id,
            checklist_items=task_data.get('checklist_items', []),
-            notes=task_data.get('notes'),
+            notes=sanitized_notes,
            estimated_duration_minutes=task_data.get('estimated_duration_minutes')
        )
        
@@ -774,16 +783,16 @@ async def update_housekeeping_task(
        if 'checklist_items' in task_data:
            task.checklist_items = task_data['checklist_items']
        if 'notes' in task_data:
-            task.notes = task_data['notes']
+            task.notes = sanitize_text(task_data['notes']) if task_data['notes'] else None
        if 'issues_found' in task_data:
-            task.issues_found = task_data['issues_found']
+            task.issues_found = sanitize_text(task_data['issues_found']) if task_data['issues_found'] else None
        if 'quality_score' in task_data:
            task.quality_score = task_data['quality_score']
        if 'inspected_by' in task_data:
            task.inspected_by = task_data['inspected_by']
            task.inspected_at = datetime.utcnow()
        if 'inspection_notes' in task_data:
-            task.inspection_notes = task_data['inspection_notes']
+            task.inspection_notes = sanitize_text(task_data['inspection_notes']) if task_data['inspection_notes'] else None
        if 'photos' in task_data:
            task.photos = task_data['photos']
        
@@ -930,11 +939,11 @@ async def report_maintenance_issue_from_task(
        if not room:
            raise HTTPException(status_code=404, detail='Room not found')
        
-        # Create maintenance record
-        title = issue_data.get('title', f'Issue reported from Room {room.room_number}')
-        description = issue_data.get('description', '')
+        # Create maintenance record - sanitize user input
+        title = sanitize_text(issue_data.get('title', f'Issue reported from Room {room.room_number}'))
+        description = sanitize_text(issue_data.get('description', ''))
        if task.notes:
-            description = f"Reported from housekeeping task.\n\nTask Notes: {task.notes}\n\nIssue Description: {description}".strip()
+            description = f"Reported from housekeeping task.\n\nTask Notes: {sanitize_text(task.notes)}\n\nIssue Description: {description}".strip()
        else:
            description = f"Reported from housekeeping task.\n\nIssue Description: {description}".strip()
        
@@ -949,7 +958,7 @@ async def report_maintenance_issue_from_task(
            reported_by=current_user.id,
            priority=issue_data.get('priority', 'high'),
            blocks_room=issue_data.get('blocks_room', True),
-            notes=issue_data.get('notes', f'Reported from housekeeping task #{task_id}')
+            notes=sanitize_text(issue_data.get('notes', f'Reported from housekeeping task #{task_id}'))
        )
        
        # Update room status if blocking
@@ -1168,15 +1177,15 @@ async def update_room_inspection(
        if 'overall_score' in inspection_data:
            inspection.overall_score = inspection_data['overall_score']
        if 'overall_notes' in inspection_data:
-            inspection.overall_notes = inspection_data['overall_notes']
+            inspection.overall_notes = sanitize_text(inspection_data['overall_notes']) if inspection_data['overall_notes'] else None
        if 'issues_found' in inspection_data:
-            inspection.issues_found = inspection_data['issues_found']
+            inspection.issues_found = sanitize_text(inspection_data['issues_found']) if inspection_data['issues_found'] else None
        if 'photos' in inspection_data:
            inspection.photos = inspection_data['photos']
        if 'requires_followup' in inspection_data:
            inspection.requires_followup = inspection_data['requires_followup']
        if 'followup_notes' in inspection_data:
-            inspection.followup_notes = inspection_data['followup_notes']
+            inspection.followup_notes = sanitize_text(inspection_data['followup_notes']) if inspection_data['followup_notes'] else None
        if 'maintenance_request_id' in inspection_data:
            inspection.maintenance_request_id = inspection_data['maintenance_request_id']