fix: lock down application form when intake round is not active

getConfig now throws FORBIDDEN when round is not ROUND_ACTIVE, preventing the form from loading entirely. Also blocks draft saving when round is inactive. Defense-in-depth: submit already rejected inactive rounds, this adds the frontend gate. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 20:26:34 +01:00
parent 875c2e8f48
commit 27ecbc40b3
1 changed files with 25 additions and 0 deletions
--- a/src/server/routers/application.ts
+++ b/src/server/routers/application.ts
@@ -150,6 +150,14 @@ export const applicationRouter = router({
          isOpen = program.status === 'ACTIVE'
        }

+        // Block access entirely when applications are not open
+        if (!isOpen) {
+          throw new TRPCError({
+            code: 'FORBIDDEN',
+            message: 'Applications are not currently open. The submission period has not started or has ended.',
+          })
+        }
+
        const wizardConfig = parseWizardConfig(program.settingsJson)

        return {
@@ -200,6 +208,14 @@ export const applicationRouter = router({
        const roundProgram = round.competition.program
        const isOpen = round.status === 'ROUND_ACTIVE'

+        // Block access entirely when the intake round is not active
+        if (!isOpen) {
+          throw new TRPCError({
+            code: 'FORBIDDEN',
+            message: 'Applications are not currently open. The submission period has not started or has ended.',
+          })
+        }
+
        const roundWizardConfig = parseWizardConfig(roundProgram.settingsJson)
        const { settingsJson: _s, ...programData } = roundProgram

@@ -608,6 +624,7 @@ export const applicationRouter = router({
        where: { slug: input.roundSlug },
        select: {
          id: true,
+          status: true,
          competition: { select: { programId: true } },
          configJson: true,
        },
@@ -620,6 +637,14 @@ export const applicationRouter = router({
        })
      }

+      // Block draft saving when intake round is not active
+      if (round.status !== 'ROUND_ACTIVE') {
+        throw new TRPCError({
+          code: 'FORBIDDEN',
+          message: 'Applications are not currently open.',
+        })
+      }
+
      const roundConfig = (round.configJson as Record<string, unknown>) || {}
      if (roundConfig.drafts_enabled === false) {
        throw new TRPCError({