MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: applicant portal — document uploads, round filtering, auth hardening

Browse Source 
Fix round-specific document uploads (submittedAt no longer blocks uploads),
add view/download buttons for existing files, enforce active-round-only for
uploads/deletes. Harden auth layout and set-password page. Filter applicant
portal rounds by award track membership.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt
2026-03-04 13:29:39 +01:00
parent 1103d42439
commit a39e27f6ff
8 changed files with 192 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
src/app/(applicant)/applicant/documents/page.tsx
View File

@@ -3,6 +3,7 @@
import { useSession } from 'next-auth/react'
import { trpc } from '@/lib/trpc/client'
import { Badge } from '@/components/ui/badge'
import { Button } from '@/components/ui/button'
import {
Card,
CardContent,
@@ -20,6 +21,7 @@ import {
Video,
File,
Download,
Eye,
} from 'lucide-react'
const fileTypeIcons: Record<string, typeof FileText> = {
@@ -42,6 +44,34 @@ const fileTypeLabels: Record<string, string> = {
SUPPORTING_DOC: 'Supporting Document',
}
function FileActionButtons({ bucket, objectKey, fileName }: { bucket: string; objectKey: string; fileName: string }) {
const { data: viewData } = trpc.file.getDownloadUrl.useQuery(
{ bucket, objectKey, forDownload: false },
{ staleTime: 10 * 60 * 1000 }
)
const { data: dlData } = trpc.file.getDownloadUrl.useQuery(
{ bucket, objectKey, forDownload: true, fileName },
{ staleTime: 10 * 60 * 1000 }
)
const viewUrl = typeof viewData === 'string' ? viewData : viewData?.url
const dlUrl = typeof dlData === 'string' ? dlData : dlData?.url
return (
<div className="flex items-center gap-1 shrink-0">
<Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!viewUrl}>
<a href={viewUrl || '#'} target="_blank" rel="noopener noreferrer">
<Eye className="h-3 w-3" /> View
</a>
</Button>
<Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!dlUrl}>
<a href={dlUrl || '#'} download={fileName}>
<Download className="h-3 w-3" /> Download
</a>
</Button>
</div>
)
}
export default function ApplicantDocumentsPage() {
const { status: sessionStatus } = useSession()
const isAuthenticated = sessionStatus === 'authenticated'
@@ -82,7 +112,7 @@ export default function ApplicantDocumentsPage() {
)
}
const { project, openRounds } = data
const { project, openRounds, isRejected } = data
const isDraft = !project.submittedAt
return (
@@ -98,8 +128,20 @@ export default function ApplicantDocumentsPage() {
</p>
</div>
{/* Rejected banner */}
{isRejected && (
<Card className="border-destructive/50 bg-destructive/5">
<CardContent className="flex items-center gap-3 py-4">
<AlertTriangle className="h-5 w-5 text-destructive shrink-0" />
<p className="text-sm text-destructive">
Your project was not selected to advance. Documents are view-only.
</p>
</CardContent>
</Card>
)}
{/* Per-round upload sections */}
{openRounds.length > 0 && (
{!isRejected && openRounds.length > 0 && (
<div className="space-y-6">
{openRounds.map((round: { id: string; name: string; windowCloseAt?: string | Date | null }) => {
const now = new Date()
@@ -163,18 +205,18 @@ export default function ApplicantDocumentsPage() {
<div className="space-y-2">
{project.files.map((file) => {
const Icon = fileTypeIcons[file.fileType] || File
const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null }
const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null; bucket?: string; objectKey?: string }
return (
<div
key={file.id}
className="flex items-center justify-between p-3 rounded-lg border"
>
<div className="flex items-center gap-3">
<Icon className="h-5 w-5 text-muted-foreground" />
<div>
<div className="flex items-center gap-3 min-w-0">
<Icon className="h-5 w-5 text-muted-foreground shrink-0" />
<div className="min-w-0">
<div className="flex items-center gap-2">
<p className="font-medium text-sm">{file.fileName}</p>
<p className="font-medium text-sm truncate">{file.fileName}</p>
{fileRecord.isLate && (
<Badge variant="warning" className="text-xs gap-1">
<AlertTriangle className="h-3 w-3" />
@@ -189,6 +231,13 @@ export default function ApplicantDocumentsPage() {
</p>
</div>
</div>
{fileRecord.bucket && fileRecord.objectKey && (
<FileActionButtons
bucket={fileRecord.bucket}
objectKey={fileRecord.objectKey}
fileName={file.fileName}
/>
)}
</div>
)
})}

20
src/app/(applicant)/applicant/page.tsx
View File

@@ -111,7 +111,7 @@ export default function ApplicantDashboardPage() {
)
}
const { project, timeline, currentStatus, openRounds, hasPassedIntake } = data
const { project, timeline, currentStatus, openRounds, hasPassedIntake, isRejected } = data
const programYear = project.program?.year
const programName = project.program?.name
const totalEvaluations = evaluations?.reduce((sum, r) => sum + r.evaluationCount, 0) ?? 0
@@ -221,8 +221,23 @@ export default function ApplicantDashboardPage() {
</Card>
</AnimatedCard>
{/* Rejected banner */}
{isRejected && (
<AnimatedCard index={1}>
<Card className="border-destructive/50 bg-destructive/5">
<CardContent className="flex items-center gap-3 py-4">
<AlertCircle className="h-5 w-5 text-destructive shrink-0" />
<p className="text-sm text-destructive">
Your project was not selected to advance. Your project space is now read-only.
</p>
</CardContent>
</Card>
</AnimatedCard>
)}
{/* Quick actions */}
<AnimatedCard index={1}>
{!isRejected && (
<AnimatedCard index={2}>
<div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-3">
<Link href={"/applicant/documents" as Route} className="group flex items-center gap-3 rounded-xl border border-border/60 p-4 transition-all duration-200 hover:-translate-y-0.5 hover:shadow-md hover:border-blue-500/30 hover:bg-blue-500/5">
<div className="rounded-xl bg-blue-500/10 p-2.5 transition-colors group-hover:bg-blue-500/20">
@@ -266,6 +281,7 @@ export default function ApplicantDashboardPage() {
)}
</div>
</AnimatedCard>
)}
{/* Document Completeness */}
{docCompleteness && docCompleteness.length > 0 && (

5
src/app/(applicant)/applicant/team/page.tsx
View File

@@ -123,6 +123,7 @@ export default function ApplicantProjectPage() {
const project = dashboardData?.project
const projectId = project?.id
const isIntakeOpen = dashboardData?.isIntakeOpen ?? false
const isRejected = dashboardData?.isRejected ?? false
const { data: teamData, isLoading: teamLoading, refetch } = trpc.applicant.getTeamMembers.useQuery(
{ projectId: projectId! },
@@ -398,7 +399,7 @@ export default function ApplicantProjectPage() {
Everyone on this list can view and collaborate on this project.
</CardDescription>
</div>
{isTeamLead && (
{isTeamLead && !isRejected && (
<Dialog open={isInviteOpen} onOpenChange={setIsInviteOpen}>
<DialogTrigger asChild>
<Button size="sm">
@@ -578,7 +579,7 @@ export default function ApplicantProjectPage() {
</div>
</div>
{isTeamLead && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && (
{isTeamLead && !isRejected && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && (
<AlertDialog>
<AlertDialogTrigger asChild>
<Button variant="ghost" size="icon" className="text-destructive">

5
src/app/(auth)/layout.tsx
View File

@@ -19,13 +19,14 @@ export default async function AuthLayout({
// Redirect logged-in users to their dashboard
// But NOT if they still need to set their password
if (session?.user && !session.user.mustSetPassword) {
// Verify user still exists in DB (handles deleted accounts with stale sessions)
// Verify user still exists in DB and check onboarding status
const dbUser = await prisma.user.findUnique({
where: { id: session.user.id },
select: { id: true },
select: { id: true, onboardingCompletedAt: true },
})
if (dbUser) {
const role = session.user.role
if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
redirect('/admin')

12
src/app/(auth)/set-password/page.tsx
View File

@@ -36,17 +36,9 @@ export default function SetPasswordPage() {
setIsSuccess(true)
// Update the session to reflect the password has been set
await updateSession()
// Redirect after a short delay
// Redirect after a short delay — all roles go to onboarding first
setTimeout(() => {
if (session?.user?.role === 'JURY_MEMBER') {
router.push('/jury')
} else if (session?.user?.role === 'SUPER_ADMIN' || session?.user?.role === 'PROGRAM_ADMIN') {
router.push('/admin')
} else if (session?.user?.role === 'APPLICANT') {
router.push('/onboarding')
} else {
router.push('/')
}
router.push('/onboarding')
}, 2000)
},
onError: (err) => {

25
src/lib/auth.ts
View File

@@ -15,7 +15,19 @@ const LOCKOUT_DURATION_MS = 15 * 60 * 1000 // 15 minutes
export const { handlers, auth, signIn, signOut } = NextAuth({
...authConfig,
adapter: PrismaAdapter(prisma),
adapter: {
...PrismaAdapter(prisma),
async useVerificationToken({ identifier, token }: { identifier: string; token: string }) {
try {
return await prisma.verificationToken.delete({
where: { identifier_token: { identifier, token } },
})
} catch (e) {
if ((e as { code?: string }).code === 'P2025') return null
throw e
}
},
},
providers: [
// Email provider for magic links (used for first login and password reset)
EmailProvider({
@@ -129,7 +141,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
},
})
if (!user || user.status === 'SUSPENDED' || !user.passwordHash) {
if (!user || user.status === 'SUSPENDED') {
// Track failed attempt (don't reveal whether user exists)
const current = failedAttempts.get(email) || { count: 0, lockedUntil: 0 }
current.count++
@@ -139,19 +151,24 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
}
failedAttempts.set(email, current)
// Log failed login
// Log failed login — real security event
await prisma.auditLog.create({
data: {
userId: null,
action: 'LOGIN_FAILED',
entityType: 'User',
detailsJson: { email, reason: !user ? 'user_not_found' : user.status === 'SUSPENDED' ? 'suspended' : 'no_password' },
detailsJson: { email, reason: !user ? 'user_not_found' : 'suspended' },
},
}).catch(() => {})
return null
}
if (!user.passwordHash) {
// Magic-link user tried credentials form — expected, not a security event
return null
}
// Verify password
const isValid = await verifyPassword(password, user.passwordHash)
if (!isValid) {

10
src/lib/storage/index.ts
View File

@@ -126,6 +126,14 @@ export function getContentType(fileName: string): string {
* Validate image file type
*/
export function isValidImageType(contentType: string): boolean {
const validTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp']
const validTypes = [
'image/jpeg',
'image/jpg', // non-standard but common browser alias for image/jpeg
'image/png',
'image/gif',
'image/webp',
'image/svg+xml',
'application/octet-stream', // some browsers send this as a fallback
]
return validTypes.includes(contentType)
}

89
src/server/routers/applicant.ts
View File

@@ -20,6 +20,16 @@ function generateInviteToken(): string {
return crypto.randomBytes(32).toString('hex')
}
/** Check if a project has been rejected in any round (based on ProjectRoundState, not Project.status) */
// eslint-disable-next-line @typescript-eslint/no-explicit-any
async function isProjectRejected(prisma: any, projectId: string): Promise<boolean> {
const rejected = await prisma.projectRoundState.findFirst({
where: { projectId, state: 'REJECTED' },
select: { id: true },
})
return !!rejected
}
export const applicantRouter = router({
/**
* Get submission info for an applicant (by round slug)
@@ -276,6 +286,11 @@ export const applicantRouter = router({
})
}
// Block rejected projects from uploading
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Uploads are no longer permitted.' })
}
// If uploading against a requirement, validate mime type and size
if (input.requirementId) {
const requirement = await ctx.prisma.fileRequirement.findUnique({
@@ -303,21 +318,29 @@ export const applicantRouter = router({
let isLate = false
// Can't upload if already submitted
if (project.submittedAt && !isLate) {
// Can't upload if already submitted — but only for initial application edits.
// Round-specific uploads (business plan, video for later rounds) are allowed
// as long as the round is active.
if (project.submittedAt && !input.roundId) {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'Cannot modify a submitted project',
})
}
// Fetch round name for storage path (if uploading against a round)
// Fetch round info and verify it's active
let roundName: string | undefined
if (input.roundId) {
const round = await ctx.prisma.round.findUnique({
where: { id: input.roundId },
select: { name: true },
select: { name: true, status: true },
})
if (round && round.status !== 'ROUND_ACTIVE') {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'This round is closed. Documents can no longer be uploaded.',
})
}
roundName = round?.name
}
@@ -385,6 +408,11 @@ export const applicantRouter = router({
})
}
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
}
const { projectId, roundId, isLate, requirementId, ...fileData } = input
// Delete existing file: by requirementId if provided, otherwise by fileType
@@ -459,14 +487,33 @@ export const applicantRouter = router({
})
}
// Can't delete if project is submitted
if (file.project.submittedAt) {
// Block rejected projects
if (await isProjectRejected(ctx.prisma, file.project.id)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
}
// Can't delete initial application files after submission
if (file.project.submittedAt && !file.roundId) {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'Cannot modify a submitted project',
})
}
// Round-specific files can only be deleted while the round is active
if (file.roundId) {
const round = await ctx.prisma.round.findUnique({
where: { id: file.roundId },
select: { status: true },
})
if (round && round.status !== 'ROUND_ACTIVE') {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'This round is closed. Documents can no longer be modified.',
})
}
}
await ctx.prisma.projectFile.delete({
where: { id: input.fileId },
})
@@ -809,6 +856,11 @@ export const applicantRouter = router({
})
}
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
}
// Check if already a team member
const existingMember = await ctx.prisma.teamMember.findFirst({
where: {
@@ -1020,6 +1072,11 @@ export const applicantRouter = router({
})
}
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
}
// Can't remove the original submitter
if (project.submittedByUserId === input.userId) {
throw new TRPCError({
@@ -1234,7 +1291,7 @@ export const applicantRouter = router({
}
}
const isRejected = currentStatus === 'REJECTED'
const isRejected = await isProjectRejected(ctx.prisma, project.id)
const hasWonAward = project.wonAwards.length > 0
// Build timeline
@@ -1382,9 +1439,10 @@ export const applicantRouter = router({
isTeamLead,
userRole: userMembership?.role || (project.submittedByUserId === ctx.user.id ? 'LEAD' : null),
},
openRounds,
openRounds: isRejected ? [] : openRounds,
timeline,
currentStatus,
isRejected,
hasPassedIntake: !!passedIntake,
isIntakeOpen: !!activeIntakeRound,
logoUrl,
@@ -1442,9 +1500,12 @@ export const applicantRouter = router({
select: { configJson: true },
})
: []
const navProjectRejected = await isProjectRejected(ctx.prisma, project.id)
hasEvaluationRounds = closedEvalRounds.some((r) => {
const parsed = EvaluationConfigSchema.safeParse(r.configJson)
return parsed.success && parsed.data.applicantVisibility.enabled
if (!parsed.success || !parsed.data.applicantVisibility.enabled) return false
if (parsed.data.applicantVisibility.hideFromRejected && navProjectRejected) return false
return true
})
}
@@ -1746,11 +1807,16 @@ export const applicantRouter = router({
}>
}> = []
const projectIsRejected = await isProjectRejected(ctx.prisma, project.id)
for (let i = 0; i < evalRounds.length; i++) {
const round = evalRounds[i]
const parsed = EvaluationConfigSchema.safeParse(round.configJson)
if (!parsed.success || !parsed.data.applicantVisibility.enabled) continue
// Skip this round if hideFromRejected is on and the project has been rejected
if (parsed.data.applicantVisibility.hideFromRejected && projectIsRejected) continue
const vis = parsed.data.applicantVisibility
// Get evaluations via assignments — NEVER select userId or user relation
@@ -1991,6 +2057,11 @@ export const applicantRouter = router({
throw new TRPCError({ code: 'FORBIDDEN', message: 'You are not a member of this project' })
}
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Logo changes are no longer permitted.' })
}
return getImageUploadUrl(
input.projectId,
input.fileName,