From ed2adc96842f24e19fe896ea90dcc21599c72e22 Mon Sep 17 00:00:00 2001
From: Ananya <ananyagupt2006@gmail.com>
Date: Wed, 25 Feb 2026 19:08:25 +0530
Subject: [PATCH 1/3] fix: improve production security and cross-platform
 compatibility

---
 web/settings.py |  8 ++++++--
 web/views.py    | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/web/settings.py b/web/settings.py
index 5ca9d0023..60fa59a5f 100644
--- a/web/settings.py
+++ b/web/settings.py
@@ -47,10 +47,14 @@
     # Helpful notice for ops without breaking startup
     print("Sentry DSN not configured; error events will not be sent.")
 
-SECRET_KEY = env.str("SECRET_KEY", default="django-insecure-5kyff0s@l_##j3jawec5@b%!^^e(j7v)ouj4b7q6kru#o#a)o3")
-# Debug settings
+# Debug settings - must be defined before SECRET_KEY validation
 ENVIRONMENT = env.str("ENVIRONMENT", default="development")
 
+if ENVIRONMENT == "production" and not env.str("SECRET_KEY", default=""):
+    raise ValueError("SECRET_KEY environment variable must be set in production")
+
+SECRET_KEY = env.str("SECRET_KEY", default="django-insecure-5kyff0s@l_##j3jawec5@b%!^^e(j7v)ouj4b7q6kru#o#a)o3")
+
 # Default DEBUG to False for security
 DEBUG = False
 
diff --git a/web/views.py b/web/views.py
index 8dd972d98..661d160f6 100644
--- a/web/views.py
+++ b/web/views.py
@@ -1114,7 +1114,18 @@ def run_cmd(cmd):
             break
 
     # Always attempt a reload so code changes take effect (application systemd unit)
-    subprocess.run(["/bin/systemctl", "restart", "education-website"], capture_output=True)
+    # Only attempt systemctl restart on Linux systems where it's available
+    import platform
+
+    if platform.system() == "Linux":
+        try:
+            subprocess.run(
+                ["/bin/systemctl", "restart", "education-website"], capture_output=True, check=False, timeout=30
+            )
+        except (FileNotFoundError, subprocess.TimeoutExpired) as e:
+            log_lines.append(f"Service restart failed: {e}")
+    else:
+        log_lines.append("Skipped service restart (not on Linux system)")
 
     # Slack summary (truncate to avoid long messages)
     slack_msg = (

From 6178b33cf3a4cb514346d9246331a1c56c3b7a8f Mon Sep 17 00:00:00 2001
From: Ananya <ananyagupt2006@gmail.com>
Date: Wed, 25 Feb 2026 19:26:39 +0530
Subject: [PATCH 2/3] fixes

---
 web/settings.py |  9 +++++++--
 web/views.py    | 15 +++++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/web/settings.py b/web/settings.py
index 60fa59a5f..1471ec2e2 100644
--- a/web/settings.py
+++ b/web/settings.py
@@ -50,10 +50,15 @@
 # Debug settings - must be defined before SECRET_KEY validation
 ENVIRONMENT = env.str("ENVIRONMENT", default="development")
 
-if ENVIRONMENT == "production" and not env.str("SECRET_KEY", default=""):
+# Read and validate SECRET_KEY with proper whitespace handling
+raw_secret_key = env.str("SECRET_KEY", default="")
+SECRET_KEY = raw_secret_key.strip() if raw_secret_key else ""
+
+if ENVIRONMENT == "production" and not SECRET_KEY:
     raise ValueError("SECRET_KEY environment variable must be set in production")
 
-SECRET_KEY = env.str("SECRET_KEY", default="django-insecure-5kyff0s@l_##j3jawec5@b%!^^e(j7v)ouj4b7q6kru#o#a)o3")
+if not SECRET_KEY:
+    SECRET_KEY = "django-insecure-5kyff0s@l_##j3jawec5@b%!^^e(j7v)ouj4b7q6kru#o#a)o3"
 
 # Default DEBUG to False for security
 DEBUG = False
diff --git a/web/views.py b/web/views.py
index 661d160f6..4e23342de 100644
--- a/web/views.py
+++ b/web/views.py
@@ -1116,14 +1116,25 @@ def run_cmd(cmd):
     # Always attempt a reload so code changes take effect (application systemd unit)
     # Only attempt systemctl restart on Linux systems where it's available
     import platform
+    import shutil
 
     if platform.system() == "Linux":
+        systemctl_path = shutil.which("systemctl") or "/usr/bin/systemctl"
         try:
-            subprocess.run(
-                ["/bin/systemctl", "restart", "education-website"], capture_output=True, check=False, timeout=30
+            proc = subprocess.run(
+                [systemctl_path, "restart", "education-website"],
+                capture_output=True,
+                check=False,
+                timeout=30,
+                text=True,
             )
+            log_lines.append(f"systemctl restart rc={proc.returncode}")
+            if proc.returncode != 0:
+                log_lines.append(f"Service restart failed: {proc.stderr[:200] if proc.stderr else 'non-zero exit'}")
+                ok = False
         except (FileNotFoundError, subprocess.TimeoutExpired) as e:
             log_lines.append(f"Service restart failed: {e}")
+            ok = False
     else:
         log_lines.append("Skipped service restart (not on Linux system)")
 

From adee35931ba636cb2315b79f15e3372cac05918e Mon Sep 17 00:00:00 2001
From: Ananya <ananyagupt2006@gmail.com>
Date: Sun, 1 Mar 2026 08:56:25 +0530
Subject: [PATCH 3/3] fixes

---
 web/views.py | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/web/views.py b/web/views.py
index 198cd4be5..b30839cf9 100644
--- a/web/views.py
+++ b/web/views.py
@@ -1120,22 +1120,30 @@ def run_cmd(cmd):
     import shutil
 
     if platform.system() == "Linux":
-        systemctl_path = shutil.which("systemctl") or "/usr/bin/systemctl"
-        try:
-            proc = subprocess.run(
-                [systemctl_path, "restart", "education-website"],
-                capture_output=True,
-                check=False,
-                timeout=30,
-                text=True,
-            )
-            log_lines.append(f"systemctl restart rc={proc.returncode}")
-            if proc.returncode != 0:
-                log_lines.append(f"Service restart failed: {proc.stderr[:200] if proc.stderr else 'non-zero exit'}")
-                ok = False
-        except (FileNotFoundError, subprocess.TimeoutExpired) as e:
-            log_lines.append(f"Service restart failed: {e}")
+        trusted_systemctl_paths = ("/bin/systemctl", "/usr/bin/systemctl")
+        systemctl_path = next(
+            (p for p in trusted_systemctl_paths if os.path.isfile(p) and os.access(p, os.X_OK)),
+            None,
+        )
+        if not systemctl_path:
+            log_lines.append("Service restart failed: systemctl not found in trusted paths")
             ok = False
+        else:
+            try:
+                proc = subprocess.run(
+                    [systemctl_path, "restart", "education-website"],
+                    capture_output=True,
+                    check=False,
+                    timeout=30,
+                    text=True,
+                )
+                log_lines.append(f"systemctl restart rc={proc.returncode}")
+                if proc.returncode != 0:
+                    log_lines.append(f"Service restart failed: {proc.stderr[:200] if proc.stderr else 'non-zero exit'}")
+                    ok = False
+            except (OSError, subprocess.TimeoutExpired) as e:
+                log_lines.append(f"Service restart failed: {e}")
+                ok = False
     else:
         log_lines.append("Skipped service restart (not on Linux system)")
 
@@ -3519,7 +3527,7 @@ def system_status(request):
             status["sendgrid"]["message"] = f"API Error: {str(e)}"
     else:
         status["sendgrid"]["status"] = "error"
-        
+
         if settings.DEBUG:
             status["sendgrid"]["message"] = "SendGrid API key not configured"
         else: