fix: Add table name whitelist to prevent SQL injection in project deletion

The DELETE query loop in Project.delete() interpolated table names directly into an f-string. Added an explicit whitelist with a validation check before each query to prevent SQL injection if table names ever become user-controlled. Flagged by Bandit (B608) and Semgrep.

Author: WiamSkakri

backend/models/postgis/project.py

@@ -926,10 +926,15 @@ async def delete(self, db: Database):
             "project_partnerships",
         ]
 
+        # Whitelist of allowed table names to prevent SQL injection via
+        # dynamic table name interpolation, since table names cannot be parameterized.
+        allowed_tables = set(related_tables)
+
         # Start a transaction to ensure atomic deletion
         async with db.transaction():
-            # Loop through each table and execute the delete query
             for table in related_tables:
+                if table not in allowed_tables:
+                    raise ValueError(f"Invalid table name: {table}")
                 await db.execute(
                     f"DELETE FROM {table} WHERE project_id = :project_id",
                     {"project_id": self.id},