lms-sb

admins/lms-sb

Fork 0

Commit Graph

Author	SHA1	Message	Date
admins	e5ba94cb33	Fix security, transaction, and badge issues from final review - Validate file URLs against S3 prefix in messages route (Fix 1) - Guard attachment hrefs with https:// check in QuestionThread and QuestionSplitView (Fix 2) - Wrap message create + updatedAt bump in prisma.$transaction (Fix 3) - Add questionsBadge count query to curator layout for admin branch (Fix 4) - Fire-and-forget email sends with void Promise.all (Fix 5) - Wrap req.json() calls in try/catch returning 400 on parse failure (Fix 6) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 13:56:31 +05:00
admins	a9e6272d2d	Fix API routes: closed-question guard, file validation, files sanitization, follow-up email - Add CLOSED status guard in messages POST (returns 409) - Add extension allowlist check in upload route + text/x-markdown MIME type - Sanitize files JSON array before DB write - Add sendQuestionFollowUpEmail helper and use it for student follow-up replies - Scope email field to staff only in questions list query Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 13:28:08 +05:00
admins	f2946db57a	Add student questions API routes Implements GET/POST /api/questions, GET /api/questions/[id] with read tracking, POST /api/questions/[id]/messages with email notifications, PATCH /api/questions/[id]/close for staff, and POST /api/student/question-upload for file attachments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-19 13:23:26 +05:00

Author

SHA1

Message

Date

admins

e5ba94cb33

Fix security, transaction, and badge issues from final review

- Validate file URLs against S3 prefix in messages route (Fix 1)
- Guard attachment hrefs with https:// check in QuestionThread and QuestionSplitView (Fix 2)
- Wrap message create + updatedAt bump in prisma.$transaction (Fix 3)
- Add questionsBadge count query to curator layout for admin branch (Fix 4)
- Fire-and-forget email sends with void Promise.all (Fix 5)
- Wrap req.json() calls in try/catch returning 400 on parse failure (Fix 6)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 13:56:31 +05:00

admins

a9e6272d2d

Fix API routes: closed-question guard, file validation, files sanitization, follow-up email

- Add CLOSED status guard in messages POST (returns 409)
- Add extension allowlist check in upload route + text/x-markdown MIME type
- Sanitize files JSON array before DB write
- Add sendQuestionFollowUpEmail helper and use it for student follow-up replies
- Scope email field to staff only in questions list query

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 13:28:08 +05:00

admins

f2946db57a

Add student questions API routes

Implements GET/POST /api/questions, GET /api/questions/[id] with read tracking, POST /api/questions/[id]/messages with email notifications, PATCH /api/questions/[id]/close for staff, and POST /api/student/question-upload for file attachments.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-19 13:23:26 +05:00

3 Commits