fix: security hardening — block self-registration, SSE auth, audit logging fixes
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Security fixes: - Block self-registration via magic link (PrismaAdapter createUser throws) - Magic links only sent to existing ACTIVE users (prevents enumeration) - signIn callback rejects non-existent users (defense-in-depth) - Change schema default role from JURY_MEMBER to APPLICANT - Add authentication to live-voting SSE stream endpoint - Fix false FILE_OPENED/FILE_DOWNLOADED audit events on page load (remove purpose from eagerly pre-fetched URL queries) Bug fixes: - Fix impersonation skeleton screen on applicant dashboard - Fix onboarding redirect loop in auth layout Observer dashboard redesign (Steps 1-6): - Clickable round pipeline with selected round highlighting - Round-type-specific dashboard panels (intake, filtering, evaluation, submission, mentoring, live final, deliberation) - Enhanced activity feed with server-side humanization - Previous round comparison section - New backend queries for round-specific analytics Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -230,6 +230,9 @@ export const LiveFinalConfigSchema = z.object({
|
||||
qaDurationMinutes: z.number().int().nonnegative().default(5),
|
||||
|
||||
revealPolicy: z.enum(['immediate', 'delayed', 'ceremony']).default('ceremony'),
|
||||
|
||||
/** Controls whether observers can see live scores: realtime, after session completes, or never */
|
||||
observerScoreVisibility: z.enum(['realtime', 'after_completion', 'hidden']).default('after_completion'),
|
||||
})
|
||||
|
||||
export type LiveFinalConfig = z.infer<typeof LiveFinalConfigSchema>
|
||||
|
||||
Reference in New Issue
Block a user