fix: Add missing API endpoints and validation improvements

- Add cancel_sprint and delete_sprint endpoints to sprints.py - Add unassign_issue endpoint to issues.py - Add remove_issue_from_sprint endpoint to sprints.py - Add CRUD methods: remove_sprint_from_issues, unassign, remove_from_sprint - Add validation to prevent closed issues in active/planned sprints - Add authorization tests for SSE events endpoint - Fix IDOR vulnerabilities in agents.py and projects.py - Add Syndarix models migration (0004) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-30 15:39:51 +01:00
parent b43fa8ace2
commit cea97afe25
10 changed files with 1156 additions and 74 deletions
--- a/backend/app/crud/syndarix/sprint.py
+++ b/backend/app/crud/syndarix/sprint.py
@@ -185,9 +185,18 @@ class CRUDSprint(CRUDBase[Sprint, SprintCreate, SprintUpdate]):
        sprint_id: UUID,
        start_date: date | None = None,
    ) -> Sprint | None:
-        """Start a planned sprint."""
+        """Start a planned sprint.
+
+        Uses row-level locking (SELECT FOR UPDATE) to prevent race conditions
+        when multiple requests try to start sprints concurrently.
+        """
        try:
-            result = await db.execute(select(Sprint).where(Sprint.id == sprint_id))
+            # Lock the sprint row to prevent concurrent modifications
+            result = await db.execute(
+                select(Sprint)
+                .where(Sprint.id == sprint_id)
+                .with_for_update()
+            )
            sprint = result.scalar_one_or_none()

            if not sprint:
@@ -198,8 +207,17 @@ class CRUDSprint(CRUDBase[Sprint, SprintCreate, SprintUpdate]):
                    f"Cannot start sprint with status {sprint.status.value}"
                )

-            # Check for existing active sprint in project
-            active_sprint = await self.get_active_sprint(db, project_id=sprint.project_id)
+            # Check for existing active sprint with lock to prevent race condition
+            # Lock all sprints for this project to ensure atomic check-and-update
+            active_check = await db.execute(
+                select(Sprint)
+                .where(
+                    Sprint.project_id == sprint.project_id,
+                    Sprint.status == SprintStatus.ACTIVE,
+                )
+                .with_for_update()
+            )
+            active_sprint = active_check.scalar_one_or_none()
            if active_sprint:
                raise ValueError(
                    f"Project already has an active sprint: {active_sprint.name}"