fix: lock down application form when intake round is not active
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
getConfig now throws FORBIDDEN when round is not ROUND_ACTIVE, preventing the form from loading entirely. Also blocks draft saving when round is inactive. Defense-in-depth: submit already rejected inactive rounds, this adds the frontend gate. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -150,6 +150,14 @@ export const applicationRouter = router({
|
|||||||
isOpen = program.status === 'ACTIVE'
|
isOpen = program.status === 'ACTIVE'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Block access entirely when applications are not open
|
||||||
|
if (!isOpen) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: 'FORBIDDEN',
|
||||||
|
message: 'Applications are not currently open. The submission period has not started or has ended.',
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
const wizardConfig = parseWizardConfig(program.settingsJson)
|
const wizardConfig = parseWizardConfig(program.settingsJson)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
@@ -200,6 +208,14 @@ export const applicationRouter = router({
|
|||||||
const roundProgram = round.competition.program
|
const roundProgram = round.competition.program
|
||||||
const isOpen = round.status === 'ROUND_ACTIVE'
|
const isOpen = round.status === 'ROUND_ACTIVE'
|
||||||
|
|
||||||
|
// Block access entirely when the intake round is not active
|
||||||
|
if (!isOpen) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: 'FORBIDDEN',
|
||||||
|
message: 'Applications are not currently open. The submission period has not started or has ended.',
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
const roundWizardConfig = parseWizardConfig(roundProgram.settingsJson)
|
const roundWizardConfig = parseWizardConfig(roundProgram.settingsJson)
|
||||||
const { settingsJson: _s, ...programData } = roundProgram
|
const { settingsJson: _s, ...programData } = roundProgram
|
||||||
|
|
||||||
@@ -608,6 +624,7 @@ export const applicationRouter = router({
|
|||||||
where: { slug: input.roundSlug },
|
where: { slug: input.roundSlug },
|
||||||
select: {
|
select: {
|
||||||
id: true,
|
id: true,
|
||||||
|
status: true,
|
||||||
competition: { select: { programId: true } },
|
competition: { select: { programId: true } },
|
||||||
configJson: true,
|
configJson: true,
|
||||||
},
|
},
|
||||||
@@ -620,6 +637,14 @@ export const applicationRouter = router({
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Block draft saving when intake round is not active
|
||||||
|
if (round.status !== 'ROUND_ACTIVE') {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: 'FORBIDDEN',
|
||||||
|
message: 'Applications are not currently open.',
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
const roundConfig = (round.configJson as Record<string, unknown>) || {}
|
const roundConfig = (round.configJson as Record<string, unknown>) || {}
|
||||||
if (roundConfig.drafts_enabled === false) {
|
if (roundConfig.drafts_enabled === false) {
|
||||||
throw new TRPCError({
|
throw new TRPCError({
|
||||||
|
|||||||
Reference in New Issue
Block a user