17a627a981
Address critical data visibility issues for Event Files and enhance frontend documentation.
This commit resolves the persistent problem where top-level hosted file convenience fields
(e.g., , , ) were
returning as in V3 Event File API responses, even when .
Key changes include:
- Refactored Pydantic model:
- Removed redundant definitions from top-level hosted file convenience fields,
allowing direct mapping from SQL view columns.
- Simplified to focus solely on conditionally loading the nested
object, as top-level fields are now populated directly by Pydantic
from the view.
- Added comprehensive comments to clarify data flow, Pydantic's behavior, and the
expected origin of these convenience fields from SQL views.
- Updated :
- Introduced a new section detailing how to retrieve Event File data, including the
use of to get both top-level convenience fields and a nested
object.
- Clarified all ID references as random string IDs.
- Renumbered the troubleshooting section.
- Copied updated guide to .
- Continued ID Vision compliance audit, ensuring consistent handling of random string IDs
across various core and event models (Account, Address, Contact, DataStore, Event Badge Template).
- Consolidated ID Vision E2E tests and updated related documentation.
- Minor updates to and
to support Event File data retrieval with .
37 lines
2.3 KiB
Markdown
37 lines
2.3 KiB
Markdown
# Backend Agent Task List
|
|
> Use this file to track steps for complex features or bug fixes.
|
|
> **Status:** 🟢 STABLE - Security Hardening Complete.
|
|
|
|
## 📋 Active Tasks
|
|
- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed.
|
|
- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
|
|
- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
|
|
- [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard.
|
|
- [x] **Polymorphic For_ID Patterns:** Add ID Vision to Address, Contact, and DataStore objects.
|
|
- [x] **Event File Hash_SHA256 Fix:** Populate hosted_file_hash_sha256 correctly.
|
|
- [ ] **Step 1: ID Vision Parity Audit**
|
|
- [x] Audit Core Event Models (Badge, Session, Presentation).
|
|
- [x] Audit File/Exhibit Models (File, Template, Tracking).
|
|
- [x] Whitelist `account_id` in all Event search definitions.
|
|
- [x] Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
|
|
- [ ] Audit Lookup Fields (Exclude all `lu_*_id` integers from public output).
|
|
- [ ] Verify SQL Views join in all required `_random` IDs for performance.
|
|
- [ ] **Step 2:** Coordination (Verify Frontend uses `x-account-id` instead of token).
|
|
|
|
## 🛡️ Security & Privacy Baseline (IDAA)
|
|
- **Status:** **ENFORCED**.
|
|
- **Principle:** Every object requires an Account Context except `site_domain`.
|
|
- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change.
|
|
|
|
## 🚧 Upcoming Strategic Goals
|
|
- **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.
|
|
- **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields).
|
|
|
|
## 📝 Session Notes (Feb 19, 2026)
|
|
- **Resolved:** Fixed integer ID leakage in `Event_Badge_Template_Base` and `Event_File_Base`.
|
|
- **Hardened:** Whitelisted `account_id` searching for all Event Objects (Presentation, General, Registration).
|
|
- **Verified:** SQL Views `v_event_session` and `v_event_session_w_file_count` confirmed to have `account_id_random`.
|
|
- **Resolved:** Implemented polymorphic `for_id` resolution for DataStore, Address, and Contact models.
|
|
- **Resolved:** Fixed `hash_sha256` for Event Files being null on the frontend.
|
|
- **Status:** Core and Demo Vision parity suites verified at 100% pass rate.
|