fix: correct tojson|safe usage in templates and update validator

- Remove |safe from |tojson in HTML attributes (x-data) - quotes must become " for browsers to parse correctly - Update LANG-002 and LANG-003 architecture rules to document correct |tojson usage patterns: - HTML attributes: |tojson (no |safe) - Script blocks: |tojson|safe - Fix validator to warn when |tojson|safe is used in x-data (breaks HTML attribute parsing) - Improve code quality across services, APIs, and tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-13 22:59:51 +01:00
parent 94d268f330
commit 9920430b9e
123 changed files with 1408 additions and 840 deletions
--- a/app/services/vendor_service.py
+++ b/app/services/vendor_service.py
@@ -67,20 +67,26 @@ class VendorService:

        try:
            # Validate company_id is provided
-            if not hasattr(vendor_data, 'company_id') or not vendor_data.company_id:
+            if not hasattr(vendor_data, "company_id") or not vendor_data.company_id:
                raise InvalidVendorDataException(
                    "company_id is required to create a vendor", field="company_id"
                )

            # Get company and verify ownership
-            company = db.query(Company).filter(Company.id == vendor_data.company_id).first()
+            company = (
+                db.query(Company).filter(Company.id == vendor_data.company_id).first()
+            )
            if not company:
                raise InvalidVendorDataException(
-                    f"Company with ID {vendor_data.company_id} not found", field="company_id"
+                    f"Company with ID {vendor_data.company_id} not found",
+                    field="company_id",
                )

            # Check if user is company owner or admin
-            if current_user.role != "admin" and company.owner_user_id != current_user.id:
+            if (
+                current_user.role != "admin"
+                and company.owner_user_id != current_user.id
+            ):
                raise UnauthorizedVendorAccessException(
                    f"company-{vendor_data.company_id}", current_user.id
                )
@@ -163,9 +169,7 @@ class VendorService:
                )
                query = query.filter(
                    (Vendor.is_active == True)
-                    & (
-                        (Vendor.is_verified == True) | (Vendor.id.in_(owned_vendor_ids))
-                    )
+                    & ((Vendor.is_verified == True) | (Vendor.id.in_(owned_vendor_ids)))
                )
            else:
                # Admin can apply filters
@@ -238,6 +242,7 @@ class VendorService:
            VendorNotFoundException: If vendor not found
        """
        from sqlalchemy.orm import joinedload
+
        from models.database.company import Company

        vendor = (
@@ -272,6 +277,7 @@ class VendorService:
            VendorNotFoundException: If vendor not found or inactive
        """
        from sqlalchemy.orm import joinedload
+
        from models.database.company import Company

        vendor = (
@@ -305,6 +311,7 @@ class VendorService:
            VendorNotFoundException: If vendor not found
        """
        from sqlalchemy.orm import joinedload
+
        from models.database.company import Company

        # Try as integer ID first