fix A01

Author: makara4code

.claude/settings.local.json

@@ -30,7 +30,11 @@
       "Bash(npx @tanstack/router-cli generate)",
       "Bash(uv run:*)",
       "Bash(timeout:*)",
-      "Bash(npm install:*)"
+      "Bash(npm install:*)",
+      "Bash(docker ps:*)",
+      "Bash(npx tsc:*)",
+      "Bash(git stash:*)",
+      "Bash(npm run lint)"
     ],
     "deny": [],
     "ask": []

backend/app/core/db.py

@@ -13,8 +13,8 @@
 def init_db(session: Session) -> None:
     # Import models and repository here to avoid circular imports
     from app.modules.users.models import User
-    from app.modules.users.schemas import UserCreate
     from app.modules.users.repository import UserRepository
+    from app.modules.users.schemas import UserCreate
 
     # Tables should be created with Alembic migrations
     # But if you don't want to use migrations, create

backend/app/modules/__init__.py

@@ -1,9 +1,9 @@
 # Application modules
 # This package contains all domain modules organized by feature
 
-from app.modules.users.models import User
 from app.modules.items.models import Item
 from app.modules.shortener.models import ShortUrl
+from app.modules.users.models import User
 
 # Export all models for SQLModel metadata registration
 __all__ = ["User", "Item", "ShortUrl"]

backend/app/modules/auth/routes.py

@@ -6,14 +6,19 @@
 from fastapi.security import OAuth2PasswordRequestForm
 
 from app.core.config import settings
-from app.modules.shared import CurrentUser, Message, SessionDep, get_current_active_superuser
 from app.modules.auth.schemas import (
     GoogleCallbackRequest,
     GoogleLoginRequest,
     NewPassword,
     Token,
 )
 from app.modules.auth.service import AuthService
+from app.modules.shared import (
+    CurrentUser,
+    Message,
+    SessionDep,
+    get_current_active_superuser,
+)
 from app.modules.users.schemas import UserPublic
 
 router = APIRouter(tags=["login"])

backend/app/modules/owasp_demo/routers/a05_injection.py

@@ -7,7 +7,6 @@
 import re
 import subprocess
 from pathlib import Path
-from typing import Any
 from urllib.parse import urlparse
 
 from fastapi import APIRouter, HTTPException, Query
@@ -43,7 +42,8 @@ def sql_injection_vulnerable(
     - query: "'; DROP TABLE users; --" - Destroys data
     - query: "' UNION SELECT password FROM user --" - Data exfiltration
     """
-    raw_query = f"SELECT * FROM item WHERE title LIKE '%{search.query}%'"
+    # Query the user table which always has data for demonstration
+    raw_query = f"SELECT id, email, full_name FROM \"user\" WHERE email LIKE '%{search.query}%'"
 
     try:
         result = session.exec(text(raw_query))

backend/app/modules/owasp_demo/routers/summary.py

@@ -19,7 +19,7 @@
 )
 
 
-@router.post("/owasp-demo/seed")
+@router.post("/seed")
 def seed_demo_data(session: SessionDep) -> dict[str, Any]:
     """
     Create sample data for OWASP demo endpoints.
@@ -109,7 +109,7 @@ def seed_demo_data(session: SessionDep) -> dict[str, Any]:
     }
 
 
-@router.get("/owasp-demo/summary")
+@router.get("/summary")
 def owasp_summary() -> dict[str, Any]:
     """
     Get a summary of all OWASP Top 10 2025 demonstrations available.

backend/app/modules/private/routes.py

@@ -3,10 +3,10 @@
 from fastapi import APIRouter
 
 from app.core.security import get_password_hash
+from app.modules.private.schemas import PrivateUserCreate
 from app.modules.shared import SessionDep
 from app.modules.users.models import User
 from app.modules.users.schemas import UserPublic
-from app.modules.private.schemas import PrivateUserCreate
 
 router = APIRouter(tags=["private"], prefix="/private")
 

backend/app/modules/rbac/__init__.py

@@ -10,6 +10,10 @@
 )
 from app.modules.rbac.routes import router
 
+# Note: require_permission is in deps.py but not exported here
+# to avoid circular imports. Import directly:
+# from app.modules.rbac.deps import require_permission
+
 __all__ = [
     "Permission",
     "PermissionBase",

backend/app/modules/rbac/deps.py

@@ -0,0 +1,31 @@
+"""RBAC dependencies for FastAPI."""
+
+from fastapi import Depends, HTTPException
+
+from app.modules.rbac.service import UserRoleService
+from app.modules.shared.dependencies import CurrentUser, SessionDep
+
+
+def require_permission(permission: str):
+    """
+    Factory for permission-checking dependency.
+
+    Usage:
+        @router.get("/", dependencies=[Depends(require_permission("users:read"))])
+        def read_users(...):
+    """
+
+    def check_permission(current_user: CurrentUser, session: SessionDep):
+        # Superusers bypass permission checks
+        if current_user.is_superuser:
+            return current_user
+
+        # Check user's permissions from their roles
+        user_role_service = UserRoleService(session)
+        if not user_role_service.user_has_permission(current_user.id, permission):
+            raise HTTPException(
+                status_code=403, detail=f"Permission '{permission}' required"
+            )
+        return current_user
+
+    return Depends(check_permission)

backend/app/modules/rbac/routes.py

@@ -32,7 +32,7 @@
 @router.get("/permissions", response_model=PermissionsPublic)
 def read_permissions(
     session: SessionDep,
-    current_user: CurrentUser,
+    _current_user: CurrentUser,
     skip: int = 0,
     limit: int = 100,
 ) -> Any:
@@ -46,7 +46,7 @@ def read_permissions(
 @router.get("/permissions/{permission_id}", response_model=PermissionPublic)
 def read_permission(
     session: SessionDep,
-    current_user: CurrentUser,
+    _current_user: CurrentUser,
     permission_id: uuid.UUID,
 ) -> Any:
     """Get a specific permission by ID."""
@@ -63,7 +63,7 @@ def read_permission(
 @router.get("/roles", response_model=RolesPublic)
 def read_roles(
     session: SessionDep,
-    current_user: CurrentUser,
+    _current_user: CurrentUser,
     skip: int = 0,
     limit: int = 100,
 ) -> Any:
@@ -102,7 +102,7 @@ def create_role(
 @router.get("/roles/{role_id}", response_model=RoleWithPermissions)
 def read_role(
     session: SessionDep,
-    current_user: CurrentUser,
+    _current_user: CurrentUser,
     role_id: uuid.UUID,
 ) -> Any:
     """Get a specific role with its permissions."""