admins/lms-sb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix API routes: closed-question guard, file validation, files sanitization, follow-up email

Browse Source 
- Add CLOSED status guard in messages POST (returns 409)
- Add extension allowlist check in upload route + text/x-markdown MIME type
- Sanitize files JSON array before DB write
- Add sendQuestionFollowUpEmail helper and use it for student follow-up replies
- Scope email field to staff only in questions list query

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
dmitriylaukhin
2026-05-19 13:28:08 +05:00
parent f2946db57a
commit a9e6272d2d
4 changed files with 47 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/questions/route.ts
+5 -1
View File
@@ -10,10 +10,14 @@ export async function GET() {
const isStaff = session.user.role === "admin" || session.user.role === "curator";
const userSelect = isStaff
? { id: true as const, name: true as const, email: true as const }
: { id: true as const, name: true as const };
const questions = await prisma.studentQuestion.findMany({
where: isStaff ? undefined : { userId: session.user.id },
include: {
user: { select: { id: true, name: true, email: true } },
user: { select: userSelect },
course: { select: { id: true, title: true } },
_count: {
select: {