fix(backend): harden bulk endpoints and redact pdf-queue email for non-admins

- W1: _parse_ids_param now returns 400 on non-integer input instead of 500
- W2: bulk_delete_scholars wraps commit in IntegrityError guard; router
  catches ScholarServiceError → 409
- W3: Move `from typing import Any` to top-level import in application.py
- W4: Redact requested_by_email in PDF queue response for non-admin users
This commit is contained in:
Justin Visser 2026-03-07 17:57:37 +01:00
parent c85fa08b7b
commit f8e3098fc3
3 changed files with 30 additions and 13 deletions

View file

@ -1,6 +1,7 @@
from __future__ import annotations
import os
from typing import Any
from uuid import uuid4
from sqlalchemy.exc import IntegrityError
@ -52,7 +53,11 @@ async def bulk_delete_scholars(
_safe_remove_upload(upload_root, profile.profile_image_upload_path)
for profile in profiles:
await db_session.delete(profile)
await db_session.commit()
try:
await db_session.commit()
except IntegrityError as exc:
await db_session.rollback()
raise ScholarServiceError("Unable to bulk-delete scholars due to a database constraint.") from exc
return len(profiles)
@ -63,8 +68,6 @@ async def bulk_toggle_scholars(
scholar_profile_ids: list[int],
is_enabled: bool,
) -> int:
from typing import Any
from sqlalchemy import CursorResult, update
cursor: CursorResult[Any] = await db_session.execute( # type: ignore[assignment]