Fix performance and security issues

- Disable SQLALCHEMY_TRACK_MODIFICATIONS (perf)
- Fix N+1 query in activities by using joined relationship
- Remove raw exception messages from API responses
- Fix Activity.register() to commit properly
- Remove unnecessary @DataClass decorators from models

Author: level09

enferno/portal/views.py

@@ -118,8 +118,8 @@ def create_workspace():
                 "workspace": workspace.to_dict(),
             }
         )
-    except Exception as e:
-        return jsonify({"error": str(e)}), 500
+    except Exception:
+        return jsonify({"error": "Failed to create workspace"}), 500
 
 
 @portal.get("/api/workspace/<int:workspace_id>/stats")
@@ -147,9 +147,9 @@ def workspace_update(workspace_id):
     try:
         db.session.commit()
         return jsonify({"message": "Workspace updated successfully"})
-    except Exception as e:
+    except Exception:
         db.session.rollback()
-        return jsonify({"message": "Failed to update workspace", "error": str(e)}), 400
+        return jsonify({"error": "Failed to update workspace"}), 400
 
 
 @portal.put("/api/profile")
@@ -168,9 +168,9 @@ def profile_update():
     try:
         db.session.commit()
         return jsonify({"message": "Profile updated successfully"})
-    except Exception as e:
+    except Exception:
         db.session.rollback()
-        return jsonify({"message": "Failed to update profile", "error": str(e)}), 400
+        return jsonify({"error": "Failed to update profile"}), 400
 
 
 @portal.post("/api/workspace/<int:workspace_id>/members")

enferno/settings.py

@@ -42,7 +42,7 @@ class Config:
     )
     # for postgres
     # SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI', 'postgresql:///enferno')
-    SQLALCHEMY_TRACK_MODIFICATIONS = True
+    SQLALCHEMY_TRACK_MODIFICATIONS = False
 
     # Celery configuration - only set if Redis available and configured
     CELERY_BROKER_URL = os.environ.get("CELERY_BROKER_URL") if REDIS_AVAILABLE else None

enferno/user/models.py

@@ -1,4 +1,3 @@
-import dataclasses
 import secrets
 import string
 from datetime import datetime
@@ -23,7 +22,6 @@
 )
 
 
-@dataclasses.dataclass
 class Role(db.Model, RoleMixin, BaseMixin):
     id = db.Column(db.Integer, primary_key=True)
     name = db.Column(db.String(80), unique=True, nullable=True)
@@ -38,7 +36,6 @@ def from_dict(self, json_dict):
         return self
 
 
-@dataclasses.dataclass
 class User(UserMixin, db.Model, BaseMixin):
     id = db.Column(db.Integer, primary_key=True)
     username = db.Column(db.String(255), unique=True, nullable=True)
@@ -229,15 +226,12 @@ class Activity(db.Model, BaseMixin):
 
     @classmethod
     def register(cls, user_id, action, data=None, workspace_id=None):
-        """Register an activity for audit purposes (optionally workspace-scoped).
-
-        Note: Does not commit - caller is responsible for transaction management.
-        This prevents activity logging from rolling back other pending changes.
-        """
+        """Register an activity for audit purposes (optionally workspace-scoped)."""
         activity = cls(
             user_id=user_id, action=action, data=data, workspace_id=workspace_id
         )
         db.session.add(activity)
+        db.session.commit()
         return activity
 
 
@@ -249,7 +243,6 @@ class StripeEvent(db.Model, BaseMixin):
     event_type = db.Column(db.String(128), nullable=True)
 
 
-@dataclasses.dataclass
 class Workspace(db.Model, BaseMixin):
     id = db.Column(db.Integer, primary_key=True)
     name = db.Column(db.String(255), nullable=False)
@@ -294,7 +287,6 @@ def generate_slug(name):
         return slugify(name)
 
 
-@dataclasses.dataclass
 class Membership(db.Model, BaseMixin):
     workspace_id = db.Column(
         db.Integer, db.ForeignKey("workspace.id", ondelete="CASCADE"), primary_key=True

enferno/user/views.py

@@ -135,9 +135,9 @@ def api_user_create():
         db.session.commit()
         Activity.register(current_user.id, "User Create", user.to_dict())
         return jsonify({"message": "User successfully created!"})
-    except Exception as e:
+    except Exception:
         db.session.rollback()
-        return jsonify({"error": str(e)}), 400
+        return jsonify({"error": "Failed to create user"}), 400
 
 
 @bp_user.post("/api/user/<int:id>")
@@ -172,9 +172,9 @@ def api_user_update(id):
             {"old": old_user_data, "new": user.to_dict()},
         )
         return jsonify({"message": "User successfully updated!"})
-    except Exception as e:
+    except Exception:
         db.session.rollback()
-        return jsonify({"error": str(e)}), 400
+        return jsonify({"error": "Failed to update user"}), 400
 
 
 @bp_user.delete("/api/user/<int:id>")
@@ -204,9 +204,9 @@ def api_user_delete(id):
         db.session.commit()
         Activity.register(current_user.id, "User Delete", user_data)
         return jsonify({"message": "User successfully deleted!"})
-    except Exception as e:
+    except Exception:
         db.session.rollback()
-        return jsonify({"error": str(e)}), 400
+        return jsonify({"error": "Failed to delete user"}), 400
 
 
 @bp_user.get("/activities/")
@@ -222,18 +222,17 @@ def api_activities():
     query = db.select(Activity).order_by(Activity.created_at.desc())
     pagination = db.paginate(query, page=page, per_page=per_page)
 
-    def activity_to_dict(activity):
-        """Convert activity to dict with user info"""
-        user = db.session.get(User, activity.user_id)
-        return {
+    # Activity.user relationship is lazy="joined", so user is already loaded
+    items = [
+        {
             "id": activity.id,
-            "user": user.display_name if user else f"User ID: {activity.user_id}",
+            "user": activity.user.display_name if activity.user else f"User ID: {activity.user_id}",
             "action": activity.action,
             "data": activity.data,
             "created_at": activity.created_at.strftime("%Y-%m-%d %H:%M:%S"),
         }
-
-    items = [activity_to_dict(activity) for activity in pagination.items]
+        for activity in pagination.items
+    ]
 
     return Response(
         json.dumps(