From a580511176649cf8ab2367c048de4647caa8f5e4 Mon Sep 17 00:00:00 2001
From: ValueOn AG <p.motsch@valueon.ch>
Date: Fri, 7 Nov 2025 10:23:32 +0100
Subject: [PATCH] 2nd perimeter to ensure mandate id for user in CRUD

---
 modules/interfaces/interfaceDbAppObjects.py | 34 ++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/modules/interfaces/interfaceDbAppObjects.py b/modules/interfaces/interfaceDbAppObjects.py
index da8ec08f..b4f9893e 100644
--- a/modules/interfaces/interfaceDbAppObjects.py
+++ b/modules/interfaces/interfaceDbAppObjects.py
@@ -290,6 +290,18 @@ class AppObjects:
         """Returns the initial ID for a table."""
         return self.db.getInitialId(model_class)
 
+    def _getDefaultMandateId(self) -> str:
+        """Get the default mandate ID, creating it if necessary."""
+        defaultMandateId = self.getInitialId(Mandate)
+        if not defaultMandateId:
+            # If no default mandate exists, create one
+            logger.warning("No default mandate found, creating Root mandate")
+            self._initRootMandate()
+            defaultMandateId = self.getInitialId(Mandate)
+            if not defaultMandateId:
+                raise ValueError("Failed to get or create default mandate")
+        return defaultMandateId
+
     def _getPasswordHash(self, password: str) -> str:
         """Creates a hash for a password."""
         return pwdContext.hash(password)
@@ -451,13 +463,19 @@ class AppObjects:
                 if not password.strip():
                     raise ValueError("Password cannot be empty")
 
+            # Ensure mandateId is set - use self.mandateId or default mandate
+            mandateId = self.mandateId
+            if not mandateId:
+                mandateId = self._getDefaultMandateId()
+                logger.warning(f"Using default mandate ID {mandateId} for new user {username}")
+
             # Create user data using UserInDB model
             userData = UserInDB(
                 username=username,
                 email=email,
                 fullName=fullName,
                 language=language,
-                mandateId=self.mandateId,
+                mandateId=mandateId,
                 enabled=enabled,
                 privilege=privilege,
                 authenticationAuthority=authenticationAuthority,
@@ -515,11 +533,25 @@ class AppObjects:
             # Remove id field from updateDict if present - we'll use userId from parameter
             updateDict.pop("id", None)
 
+            # Ensure mandateId is set - if missing or None, use default mandate
+            if "mandateId" not in updateDict or not updateDict.get("mandateId"):
+                if not user.mandateId:
+                    # User has no mandateId, set to default
+                    defaultMandateId = self._getDefaultMandateId()
+                    updateDict["mandateId"] = defaultMandateId
+                    logger.warning(f"Setting default mandate ID {defaultMandateId} for user {userId}")
+                else:
+                    # Keep existing mandateId if update doesn't provide one
+                    updateDict["mandateId"] = user.mandateId
+
             # Update user data using model
             updatedData = user.model_dump()
             updatedData.update(updateDict)
             # Ensure ID matches userId parameter
             updatedData["id"] = userId
+            # Ensure mandateId is set in final data
+            if not updatedData.get("mandateId"):
+                updatedData["mandateId"] = self._getDefaultMandateId()
             updatedUser = User(**updatedData)
 
             # Update user record