feat: Refactor rides app with unique constraints, mixins, and enhanced documentation

- Added migration to convert unique_together constraints to UniqueConstraint for RideModel.
- Introduced RideFormMixin for handling entity suggestions in ride forms.
- Created comprehensive code standards documentation outlining formatting, docstring requirements, complexity guidelines, and testing requirements.
- Established error handling guidelines with a structured exception hierarchy and best practices for API and view error handling.
- Documented view pattern guidelines, emphasizing the use of CBVs, FBVs, and ViewSets with examples.
- Implemented a benchmarking script for query performance analysis and optimization.
- Developed security documentation detailing measures, configurations, and a security checklist.
- Compiled a database optimization guide covering indexing strategies, query optimization patterns, and computed fields.

backend/apps/accounts/management/commands/reset_db.py

@@ -1,7 +1,15 @@
+"""
+Management command to reset the database and create an admin user.
+
+Security Note: This command uses a mix of raw SQL (for PostgreSQL-specific operations
+like dropping all tables) and Django ORM (for creating users). The raw SQL operations
+use quote_ident() for table/sequence names which is safe from SQL injection.
+
+WARNING: This command is destructive and should only be used in development.
+"""
+
 from django.core.management.base import BaseCommand
 from django.db import connection
-from django.contrib.auth.hashers import make_password
-import uuid
 
 
 class Command(BaseCommand):
@@ -10,7 +18,8 @@ class Command(BaseCommand):
     def handle(self, *args, **options):
         self.stdout.write("Resetting database...")
 
-        # Drop all tables
+        # Drop all tables using PostgreSQL-specific operations
+        # Security: Using quote_ident() to safely quote table/sequence names
         with connection.cursor() as cursor:
             cursor.execute(
                 """
@@ -21,7 +30,7 @@ class Command(BaseCommand):
                         SELECT tablename FROM pg_tables
                         WHERE schemaname = current_schema()
                     ) LOOP
-                        EXECUTE 'DROP TABLE IF EXISTS ' || \
+                        EXECUTE 'DROP TABLE IF EXISTS ' ||
                                 quote_ident(r.tablename) || ' CASCADE';
                     END LOOP;
                 END $$;
@@ -38,7 +47,7 @@ class Command(BaseCommand):
                         SELECT sequencename FROM pg_sequences
                         WHERE schemaname = current_schema()
                     ) LOOP
-                        EXECUTE 'ALTER SEQUENCE ' || \
+                        EXECUTE 'ALTER SEQUENCE ' ||
                                 quote_ident(r.sequencename) || ' RESTART WITH 1';
                     END LOOP;
                 END $$;
@@ -54,51 +63,25 @@ class Command(BaseCommand):
 
         self.stdout.write("Migrations applied.")
 
-        # Create superuser using raw SQL
+        # Create superuser using Django ORM (safer than raw SQL)
         try:
-            with connection.cursor() as cursor:
-                # Create user
-                user_id = str(uuid.uuid4())[:10]
-                cursor.execute(
-                    """
-                    INSERT INTO accounts_user (
-                        username, password, email, is_superuser, is_staff,
-                        is_active, date_joined, user_id, first_name,
-                        last_name, role, is_banned, ban_reason,
-                        theme_preference
-                    ) VALUES (
-                        'admin', %s, 'admin@thrillwiki.com', true, true,
-                        true, NOW(), %s, '', '', 'SUPERUSER', false, '',
-                        'light'
-                    ) RETURNING id;
-                """,
-                    [make_password("admin"), user_id],
-                )
+            from apps.accounts.models import User, UserProfile
 
-                result = cursor.fetchone()
-                if result is None:
-                    raise Exception("Failed to create user - no ID returned")
-                user_db_id = result[0]
+            # Security: Using Django ORM instead of raw SQL for user creation
+            user = User.objects.create_superuser(
+                username='admin',
+                email='admin@thrillwiki.com',
+                password='admin',
+                role='SUPERUSER',
+            )
 
-                # Create profile
-                profile_id = str(uuid.uuid4())[:10]
-                cursor.execute(
-                    """
-                    INSERT INTO accounts_userprofile (
-                        profile_id, display_name, pronouns, bio,
-                        twitter, instagram, youtube, discord,
-                        coaster_credits, dark_ride_credits,
-                        flat_ride_credits, water_ride_credits,
-                        user_id, avatar
-                    ) VALUES (
-                        %s, 'Admin', 'they/them', 'ThrillWiki Administrator',
-                        '', '', '', '',
-                        0, 0, 0, 0,
-                        %s, ''
-                    );
-                """,
-                    [profile_id, user_db_id],
-                )
+            # Create profile using ORM
+            UserProfile.objects.create(
+                user=user,
+                display_name='Admin',
+                pronouns='they/them',
+                bio='ThrillWiki Administrator',
+            )
 
             self.stdout.write("Superuser created.")
         except Exception as e: