32 lines
1.8 KiB
Markdown
32 lines
1.8 KiB
Markdown
# Risks And Gaps
|
|
|
|
This file tracks known gaps and risks to address in future iterations.
|
|
|
|
## Security And Auth
|
|
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
|
|
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
|
|
- Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP).
|
|
- Social login is a placeholder.
|
|
- `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
|
|
|
|
## Booking Integrity
|
|
- Availability checks and overlap prevention are now enforced for staff bookings.
|
|
- **Race condition — fixed:** `BookingCreateSerializer.create()` now locks the staff row with `select_for_update()` inside `transaction.atomic()` and re-runs the overlap check before inserting. Concurrent requests for the same staff slot are serialized at the DB level. Requires PostgreSQL in production (SQLite ignores `FOR UPDATE` but still serializes writes).
|
|
- No timezone handling or business hours enforcement.
|
|
- No cancellation rules or refund logic.
|
|
|
|
## Payments
|
|
- Moyasar payment creation, webhook reconciliation, and idempotency are implemented.
|
|
- Moyasar capture and refund are implemented in the gateway; API endpoints for admin-initiated capture/refund can be added when needed.
|
|
|
|
## Data And UX
|
|
- Ratings are not recalculated from reviews.
|
|
- No image upload or storage strategy for photos.
|
|
- Booking lifecycle notifications are implemented; Authentica can deliver SMS when NOTIFICATION_PROVIDER=authentica.
|
|
- Localization foundations are in progress; full Arabic translation coverage and RTL QA are still pending.
|
|
|
|
## Ops And Compliance
|
|
- No audit logs for admin actions.
|
|
- No multi-tenant isolation or data export tooling.
|
|
- No GDPR/PDPL data retention policies defined.
|