feat: Implement logic to prevent deletion of system tasks and rewards; update APIs and tests accordingly

backend/api/task_api.py

@@ -2,7 +2,7 @@ from flask import Blueprint, request, jsonify
 from tinydb import Query
 
 from api.utils import send_event_for_current_user, get_validated_user_id
-from backend.events.types.child_tasks_set import ChildTasksSet
+from events.types.child_tasks_set import ChildTasksSet
 from db.db import task_db, child_db
 from events.types.event import Event
 from events.types.event_types import EventType
@@ -70,7 +70,14 @@ def delete_task(id):
     if not user_id:
         return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     TaskQuery = Query()
-    removed = task_db.remove((TaskQuery.id == id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    task = task_db.get(TaskQuery.id == id)
+    if not task:
+        return jsonify({'error': 'Task not found'}), 404
+    if task.get('user_id') is None:
+        import logging
+        logging.warning(f"Forbidden delete attempt on system task: id={id}, by user_id={user_id}")
+        return jsonify({'error': 'System tasks cannot be deleted.'}), 403
+    removed = task_db.remove((TaskQuery.id == id) & (TaskQuery.user_id == user_id))
     if removed:
         # remove the task id from any child's task list
         ChildQuery = Query()