feat: Implement logic to prevent deletion of system tasks and rewards; update APIs and tests accordingly

backend/api/auth_api.py

@@ -3,7 +3,7 @@ import secrets, jwt
 from datetime import datetime, timedelta, timezone
 from models.user import User
 from flask import Blueprint, request, jsonify, current_app
-from backend.utils.email_instance import email_sender
+from utils.email_instance import email_sender
 from tinydb import Query
 import os
 

backend/api/image_api.py

@@ -1,4 +1,6 @@
 import os
+UPLOAD_FOLDER = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../data/images'))
+import os
 
 from PIL import Image as PILImage, UnidentifiedImageError
 from flask import Blueprint, request, jsonify, send_file

backend/api/reward_api.py

@@ -2,7 +2,7 @@ from flask import Blueprint, request, jsonify
 from tinydb import Query
 
 from api.utils import send_event_for_current_user, get_validated_user_id
-from backend.events.types.child_rewards_set import ChildRewardsSet
+from events.types.child_rewards_set import ChildRewardsSet
 from db.db import reward_db, child_db
 from events.types.event import Event
 from events.types.event_types import EventType
@@ -72,7 +72,14 @@ def delete_reward(id):
     if not user_id:
         return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     RewardQuery = Query()
-    removed = reward_db.remove((RewardQuery.id == id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    reward = reward_db.get(RewardQuery.id == id)
+    if not reward:
+        return jsonify({'error': 'Reward not found'}), 404
+    if reward.get('user_id') is None:
+        import logging
+        logging.warning(f"Forbidden delete attempt on system reward: id={id}, by user_id={user_id}")
+        return jsonify({'error': 'System rewards cannot be deleted.'}), 403
+    removed = reward_db.remove((RewardQuery.id == id) & (RewardQuery.user_id == user_id))
     if removed:
         # remove the reward id from any child's reward list
         ChildQuery = Query()
@@ -81,7 +88,7 @@ def delete_reward(id):
             if id in rewards:
                 rewards.remove(id)
                 child_db.update({'rewards': rewards}, ChildQuery.id == child.get('id'))
-                send_event_for_current_user(Event(EventType.CHILD_REWARD_SET.value, ChildRewardsSet(id, rewards)))
+                send_event_for_current_user(Event(EventType.CHILD_REWARDS_SET.value, ChildRewardsSet(id, rewards)))
         send_event_for_current_user(Event(EventType.REWARD_MODIFIED.value, RewardModified(id, RewardModified.OPERATION_DELETE)))
         return jsonify({'message': f'Reward {id} deleted.'}), 200
     return jsonify({'error': 'Reward not found'}), 404

backend/api/task_api.py

@@ -2,7 +2,7 @@ from flask import Blueprint, request, jsonify
 from tinydb import Query
 
 from api.utils import send_event_for_current_user, get_validated_user_id
-from backend.events.types.child_tasks_set import ChildTasksSet
+from events.types.child_tasks_set import ChildTasksSet
 from db.db import task_db, child_db
 from events.types.event import Event
 from events.types.event_types import EventType
@@ -70,7 +70,14 @@ def delete_task(id):
     if not user_id:
         return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     TaskQuery = Query()
-    removed = task_db.remove((TaskQuery.id == id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    task = task_db.get(TaskQuery.id == id)
+    if not task:
+        return jsonify({'error': 'Task not found'}), 404
+    if task.get('user_id') is None:
+        import logging
+        logging.warning(f"Forbidden delete attempt on system task: id={id}, by user_id={user_id}")
+        return jsonify({'error': 'System tasks cannot be deleted.'}), 403
+    removed = task_db.remove((TaskQuery.id == id) & (TaskQuery.user_id == user_id))
     if removed:
         # remove the task id from any child's task list
         ChildQuery = Query()