Comprehensive platform review: security fixes, query optimization, UI improvements, and code cleanup

Security (Critical/High): - Fix path traversal bypass in local storage provider (path.resolve + prefix check) - Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual) - Add auth + ownership checks to email API routes (verify-credentials, change-password) - Remove hardcoded secret key fallback in local storage provider - Add production credential check for MinIO (fail loudly if not set) - Remove DB error details from health check response - Add stricter rate limiting on application submissions (5/hour) - Add rate limiting on email availability check (anti-enumeration) - Change getAIAssignmentJobStatus to adminProcedure - Block dangerous file extensions on upload - Reduce project list max perPage from 5000 to 200 Query Optimization: - Optimize analytics getProjectRankings with select instead of full includes - Fix N+1 in mentor.getSuggestions (batch findMany instead of loop) - Use _count for files instead of fetching full file records in project list - Switch to bulk notifications in assignment and user bulk operations - Batch filtering upserts (25 per transaction instead of all at once) UI/UX: - Replace Inter font with Montserrat in public layout (brand consistency) - Use Logo component in public layout instead of placeholder - Create branded 404 and error pages - Make admin rounds table responsive with mobile card layout - Fix notification bell paths to be role-aware - Replace hardcoded slate colors with semantic tokens in admin sidebar - Force light mode (dark mode untested) - Adjust CardTitle default size - Improve muted-foreground contrast for accessibility (A11Y) - Move profile form state initialization to useEffect Code Quality: - Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates) - Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs - Remove unused twilio dependency - Remove redundant email index from schema - Add actual storage object deletion when file records are deleted - Wrap evaluation submit + assignment update in - Add comprehensive platform review document Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 20:31:08 +01:00
parent a1f32597a0
commit 8d0979e649
35 changed files with 2463 additions and 730 deletions
--- a/src/server/routers/evaluation.ts
+++ b/src/server/routers/evaluation.ts
@@ -196,21 +196,21 @@ export const evaluationRouter = router({
        })
      }

-      // Submit
-      const updated = await ctx.prisma.evaluation.update({
-        where: { id },
-        data: {
-          ...data,
-          status: 'SUBMITTED',
-          submittedAt: now,
-        },
-      })
-
-      // Mark assignment as completed
-      await ctx.prisma.assignment.update({
-        where: { id: evaluation.assignmentId },
-        data: { isCompleted: true },
-      })
+      // Submit evaluation and mark assignment as completed atomically
+      const [updated] = await ctx.prisma.$transaction([
+        ctx.prisma.evaluation.update({
+          where: { id },
+          data: {
+            ...data,
+            status: 'SUBMITTED',
+            submittedAt: now,
+          },
+        }),
+        ctx.prisma.assignment.update({
+          where: { id: evaluation.assignmentId },
+          data: { isCompleted: true },
+        }),
+      ])

      // Audit log
      await ctx.prisma.auditLog.create({