Visitor hostel v1#1915
Conversation
…2/Fusion into visitor-hostel-v1
Visitor hostel v1
Revert "Visitor hostel v1"
…hostel-v1 Visitor Hostel v1 integration updates
vikrantwiz02
left a comment
vikrantwiz02
left a comment
There was a problem hiding this comment.
Critical
-
api/secure_views.pyis 473 lines of dead code —SecureActiveBookingsApiViewand the other views defined there are never imported inurls.py. None of this code runs. Either wire it up or remove it; shipping inert "secure" replacements creates a false sense of hardened endpoints. -
security/middleware.pydefinesVHSecurityMiddlewarebut it is not registered insettings/common.pyMIDDLEWARE — the class is completely inert. All the authentication validation and rate-limiting logic inside it never executes against any request. -
VHSecurityPolicyinsecurity/settings.pydefines rate limits, session timeouts, and IP-allow rules as class attributes, but nothing reads or enforces them — the values sit unused. This is not security; it is documentation formatted as code. -
services.pyusesfrom Fusion import settings— this is the wrong import pattern and may resolve differently depending on the Python path. Usefrom django.conf import settingsto get Django's settings object reliably.
Should Not Be Committed
api/views_backup.py— a 41-line file that begins with# Quick fix: ActiveBookingsApiView without meal indicators. Backup files must not be committed; use git branches or stash for this purpose.
| @@ -0,0 +1,41 @@ | |||
| # Quick fix: ActiveBookingsApiView without meal indicators | |||
There was a problem hiding this comment.
Backup file committed to the repository. The comment on line 3 (# Quick fix: ActiveBookingsApiView without meal indicators) confirms this is a workaround copy, not production code. Use git branches or git stash instead of committing backup files.
| from applications.visitor_hostel.logging_config import vh_logger | ||
| from .rbac import get_user_vh_roles, get_user_permissions | ||
|
|
||
| class VHSecurityMiddleware(MiddlewareMixin): |
There was a problem hiding this comment.
VHSecurityMiddleware is defined here but is not added to the MIDDLEWARE list in settings/common.py. The middleware never runs — all the authentication validation, rate-limiting, and security logging inside it is completely bypassed for every request.
| @@ -0,0 +1,473 @@ | |||
| """ | |||
There was a problem hiding this comment.
473 lines of view implementations that are never imported in urls.py and therefore never reachable. Dead code at this scale is a maintenance burden and gives a misleading impression of improved security. Either wire these views into the URL configuration or remove this file.
| from django.utils import timezone | ||
| from notifications.signals import notify | ||
|
|
||
| from Fusion import settings |
There was a problem hiding this comment.
from Fusion import settings is not the standard Django pattern and may resolve incorrectly depending on the Python path. Use from django.conf import settings instead, which is guaranteed to return the active Django settings object.
| # SECURITY POLICIES | ||
| # ============================================================ | ||
|
|
||
| class VHSecurityPolicy: |
There was a problem hiding this comment.
VHSecurityPolicy defines rate limits, session timeouts, and allowed IPs as class attributes, but nothing in the codebase reads or enforces these values. Defining security policies as unused constants provides no actual protection. These should either be wired into the middleware/views or removed to avoid giving a false impression of enforced security.
3 participants
Brief description of what is fixed or changed