Fix SQLAlchemy and operator misuse causing broken query predicates and cross-tournament access#1721
Fix SQLAlchemy and operator misuse causing broken query predicates and cross-tournament access#1721Copilot wants to merge 4 commits into
and operator misuse causing broken query predicates and cross-tournament access#1721Conversation
…nament regression test - Replace Python `and` with `&` in team_dependency and courts.py create_court - Fix round_dependency and match_dependency to use proper JOINs through stage_items/stages since those tables lack a tournament_id column - Add test_cross_tournament_team_access_denied regression test verifying a team from tournament B returns 404 when accessed via tournament A's URL
Deploying bracket-docs with
|
| Latest commit: |
b0d4db7
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://257cc5d6.bracket-docs.pages.dev |
| Branch Preview URL: | https://copilot-fix-sqlalchemy-colum.bracket-docs.pages.dev |
Deploying bracket-frontend with
|
| Latest commit: |
b0d4db7
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://7a0101f4.bracket-abd.pages.dev |
| Branch Preview URL: | https://copilot-fix-sqlalchemy-colum.bracket-abd.pages.dev |
and operator misuse causing broken query predicates and cross-tournament access
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1721 +/- ##
==========================================
+ Coverage 94.80% 94.83% +0.02%
==========================================
Files 120 120
Lines 4387 4393 +6
==========================================
+ Hits 4159 4166 +7
+ Misses 228 227 -1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@copilot fix ci errors |
Fixed in the latest commit. The mypy errors ( The fix replaces |
|
@copilot fix ci errors |
Fixed in the latest commit. Two pylint issues were reported:
|
Python's
andoperator is unsafe with SQLAlchemy clause elements: in SQLAlchemy 2.0 it raisesTypeError(routes return 500); in older versions it short-circuits to the right-hand operand, silently dropping theid = Xfilter and enabling cross-tournament entity access.Changes
routes/util.pyteam_dependency: replaceandwith&round_dependency/match_dependency:roundsandmatcheshave no directtournament_id; replace the brokenandchain with proper JOINs throughstage_items → stagesto enforce tournament scopingroutes/courts.pycreate_courtpost-insert fetch: replaceandwith&tests/.../teams_test.pytest_cross_tournament_team_access_denied: asserts that aPUTon tournament A's URL using ateam_idbelonging to tournament B returns 404