Wrap the overlap query and Booking.objects.create() in a single
transaction.atomic() block inside BookingCreateSerializer.create().
Lock the StaffProfile row with select_for_update() so concurrent
requests for the same staff slot are serialized at the DB level;
only one writer can hold the lock at a time, eliminating the race
window between validate() and save().
The early check in validate() is kept for fast user feedback in
the common non-concurrent case. The locked re-check in create()
is the correctness guarantee.
On SQLite (dev/tests) FOR UPDATE is silently ignored but writes
are still serialized. PostgreSQL (production) gets row-level locking.
Update docs/risks.md to mark the race condition as fixed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- USERNAME_FIELD = "phone_number" (was "email") — email is optional on
this platform; most customers will be phone-only
- Add REQUIRED_FIELDS = [] to make the intent explicit
- Update create_superuser to accept phone_number as the identifier and
pass it through to create_user as a keyword argument
- All 35 backend tests pass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ADR 0001: distinguish payment/OTP (sync by design) from notifications
(fire-and-forget); correct misleading claim that notification failures
surface to clients — they are silently absorbed as FAILED status
- risks.md: upgrade USERNAME_FIELD entry with concrete breakage (admin,
create_superuser, JWT lookup); add booking overlap race condition with
root cause and fix (select_for_update)
- architecture.md: document notification/OTP provider coupling as an MVP
shortcut and note the Phase 2 fix (dedicated NotificationProvider)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implemented localization foundations across backend and frontend (locale settings/middleware, preferred language, i18n wiring, RTL support, minimal Arabic UI strings, Accept-Language).
Added targeted backend and frontend tests plus a risks note for pending full translation coverage.
mohd