fix(backend): post-review fixes sprint 2

- test_simulations_patch: remove false dict return annotation on _patch helper - simulation_workflow: validate executed_at upfront before any setattr (prevents partial mutation on bad payload) - api/simulations: remove unreachable role check in update_simulation (all valid roles are admin/redteam/soc) - Dockerfile: remove redundant COPY backend/data/ (already covered by COPY backend/) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 11:21:32 +02:00
parent 765bb5a1a4
commit 83bf60fb30
4 changed files with 40 additions and 18 deletions
--- a/backend/app/api/simulations.py
+++ b/backend/app/api/simulations.py
@@ -80,9 +80,6 @@ def update_simulation(sid: int):
        return jsonify({"error": "Simulation not found"}), 404

    user = g.current_user
-    if user.role.value not in ("admin", "redteam", "soc"):
-        return jsonify({"error": "Forbidden"}), 403
-
    data = request.get_json(silent=True) or {}
    if not data:
        return jsonify(serialize_simulation(sim)), 200
--- a/backend/app/services/simulation_workflow.py
+++ b/backend/app/services/simulation_workflow.py
@@ -79,18 +79,21 @@ def apply_patch(
        # admin / redteam: apply all fields present.
        redteam_keys_present = REDTEAM_FIELDS & payload.keys()

+        # Validate executed_at before any writes so a bad value causes no partial mutation.
+        executed_at_value: datetime | None = None
+        if "executed_at" in redteam_keys_present:
+            val = payload["executed_at"]
+            if val is not None:
+                if not isinstance(val, str):
+                    return jsonify({"error": "invalid executed_at"}), 400
+                try:
+                    executed_at_value = datetime.fromisoformat(val)
+                except ValueError:
+                    return jsonify({"error": "invalid executed_at"}), 400
+
        for field in redteam_keys_present:
            if field == "executed_at":
-                val = payload["executed_at"]
-                if val is None:
-                    simulation.executed_at = None
-                else:
-                    if not isinstance(val, str):
-                        return jsonify({"error": "invalid executed_at"}), 400
-                    try:
-                        simulation.executed_at = datetime.fromisoformat(val)
-                    except ValueError:
-                        return jsonify({"error": "invalid executed_at"}), 400
+                simulation.executed_at = executed_at_value
            else:
                setattr(simulation, field, payload[field])