Fix code review issues and improve robustness

Author: trucodd

backend/apps/nest/management/commands/nest_update_badges.py

@@ -43,16 +43,14 @@ def update_owasp_staff_badge(self):
             self.stdout.write(f"Created badge: {badge.name}")
 
         # Assign badge to employees who don't have it.
-        employees_without_badge = User.objects.filter(
-            is_owasp_staff=True,
-        ).exclude(
-            user_badges__badge=badge,
+        employees_missing_or_inactive = User.objects.filter(is_owasp_staff=True).exclude(
+            badges__badge=badge, badges__is_active=True
         )
-        count = employees_without_badge.count()
+        count = employees_missing_or_inactive.count()
 
         if count:
-            for user in employees_without_badge:
-                user_badge, created = UserBadge.objects.get_or_create(user=user, badge=badge)
+            for user in employees_missing_or_inactive:
+                user_badge, _ = UserBadge.objects.get_or_create(user=user, badge=badge)
                 if not user_badge.is_active:
                     user_badge.is_active = True
                     user_badge.save(update_fields=["is_active"])
@@ -98,12 +96,14 @@ def update_waspy_award_badge(self):
         ).distinct()
 
         # Assign badge to WASPY award winners who don't have it
-        users_without_badge = waspy_award_users.exclude(badges__badge=badge)
-        count = users_without_badge.count()
+        users_missing_or_inactive = waspy_award_users.exclude(
+            badges__badge=badge, badges__is_active=True
+        )
+        count = users_missing_or_inactive.count()
 
         if count:
-            for user in users_without_badge:
-                user_badge, created = UserBadge.objects.get_or_create(user=user, badge=badge)
+            for user in users_missing_or_inactive:
+                user_badge, _ = UserBadge.objects.get_or_create(user=user, badge=badge)
                 if not user_badge.is_active:
                     user_badge.is_active = True
                     user_badge.save(update_fields=["is_active"])

backend/apps/owasp/management/commands/owasp_sync_awards.py

@@ -11,6 +11,10 @@
 
 logger = logging.getLogger(__name__)
 
+# Year validation constants
+MIN_VALID_YEAR = 1900
+MAX_VALID_YEAR = 2100
+
 
 class Command(BaseCommand):
     help = "Import awards from the OWASP awards YAML file"
@@ -19,55 +23,112 @@ def handle(self, *args, **kwargs) -> None:
         """Handle the command execution."""
         self.stdout.write("Syncing OWASP awards...")
 
-        data = yaml.safe_load(
-            get_repository_file_content(
-                "https://raw.githubusercontent.com/OWASP/owasp.github.io/main/_data/awards.yml"
+        url = "https://raw.githubusercontent.com/OWASP/owasp.github.io/main/_data/awards.yml"
+        raw = get_repository_file_content(url)
+        if not raw:
+            self.stderr.write(self.style.WARNING("No awards data fetched; aborting."))
+            return
+        try:
+            data = yaml.safe_load(raw) or []
+        except yaml.YAMLError as e:
+            self.stderr.write(self.style.ERROR(f"Failed to parse awards YAML: {e}"))
+            return
+        if not isinstance(data, list):
+            self.stderr.write(
+                self.style.WARNING("Unexpected awards YAML structure; expected a list.")
             )
-        )
+            return
 
         awards_to_save = []
+        skipped_count = 0
         for item in data:
             if item.get("type") == "award":
                 winners = item.get("winners", [])
                 for winner in winners:
                     award = self._create_or_update_award(item, winner)
                     if award:
                         awards_to_save.append(award)
+                    else:
+                        skipped_count += 1
 
-        Award.bulk_save(awards_to_save)
+        Award.bulk_save(awards_to_save, fields=("category", "description", "year", "user"))
         self.stdout.write(self.style.SUCCESS(f"Successfully synced {len(awards_to_save)} awards"))
+        if skipped_count:
+            self.stdout.write(
+                self.style.WARNING(f"Skipped {skipped_count} awards due to invalid data")
+            )
 
     def _create_or_update_award(self, award_data, winner_data):
         """Create or update award instance."""
-        name = f"{award_data['title']} - {winner_data['name']} ({award_data['year']})"
+        # Safely extract values with defaults
+        title = award_data.get("title", "")
+        category = award_data.get("category", "")
+
+        # Validate and parse year
+        try:
+            year = int(award_data.get("year", 0))
+            if year <= 0 or year < MIN_VALID_YEAR or year > MAX_VALID_YEAR:
+                logger.warning("Invalid year %s for award %s, skipping", year, title)
+                return None
+        except (ValueError, TypeError):
+            logger.warning(
+                "Could not parse year %s for award %s, skipping", award_data.get("year"), title
+            )
+            return None
+
+        # Handle winner_data being string or dict
+        if isinstance(winner_data, str):
+            winner_name = winner_data
+            winner_info = ""
+        else:
+            # Prefer explicit GitHub login over name
+            login = winner_data.get("login") or winner_data.get("github")
+            if login:
+                login = login.lstrip("@")
+                # Skip bot accounts
+                if "bot" in login.lower() or login.lower().endswith("[bot]"):
+                    logger.warning("Skipping bot account: %s", login)
+                    return None
+                winner_name = login
+            else:
+                winner_name = winner_data.get("name", "")
+            winner_info = winner_data.get("info", "")
+
+        name = f"{title} - {winner_name} ({year})"
 
         try:
             award = Award.objects.get(name=name)
         except Award.DoesNotExist:
             award = Award(name=name)
 
-        award.category = award_data.get("category", "")
-        award.description = winner_data.get("info", "")
-        award.year = award_data.get("year", 0)
+        award.category = category
+        award.description = winner_info
+        award.year = year
 
-        # Try to match user by name
-        user = self._match_user(winner_data["name"])
-        if user:
-            award.user = user
-        else:
-            logger.warning("Could not match user for award winner: %s", winner_data["name"])
+        # Only set user if not already reviewed
+        if not (award.user and award.is_reviewed):
+            user = self._match_user(winner_name)
+            if user:
+                award.user = user
+            else:
+                logger.warning("Could not match user for award winner: %s", winner_name)
 
         return award
 
     def _match_user(self, winner_name):
         """Try to match award winner with existing user."""
-        # Try exact name match first
-        user = User.objects.filter(name__iexact=winner_name).first()
-        if user:
-            return user
+        winner_name = winner_name.strip()
 
-        # Try login match (GitHub username)
-        user = User.objects.filter(login__iexact=winner_name).first()
+        # Check if it looks like a GitHub handle
+        if winner_name.startswith("@") or (" " not in winner_name and winner_name):
+            # Strip leading @ and try login match first
+            login_name = winner_name.lstrip("@")
+            user = User.objects.filter(login__iexact=login_name).first()
+            if user:
+                return user
+
+        # Try exact name match
+        user = User.objects.filter(name__iexact=winner_name).first()
         if user:
             return user
 

backend/apps/owasp/models/award.py

@@ -15,10 +15,16 @@ class Meta:
         indexes = [
             models.Index(fields=["-year"], name="award_year_desc_idx"),
         ]
+        constraints = [
+            models.UniqueConstraint(
+                fields=["category", "name", "year"],
+                name="uniq_award_cat_name_year",
+            ),
+        ]
         verbose_name_plural = "Awards"
 
     category = models.CharField(verbose_name="Category", max_length=100)
-    name = models.CharField(verbose_name="Name", max_length=255, unique=True)
+    name = models.CharField(verbose_name="Name", max_length=255)
     description = models.TextField(verbose_name="Description", blank=True, default="")
     year = models.IntegerField(verbose_name="Year")
     is_reviewed = models.BooleanField(