[PROD] - PS489

src/api/review-application/reviewApplication.service.ts

@@ -71,7 +71,6 @@ export class ReviewApplicationService {
       }
       // make sure application role matches
       if (
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-enum-comparison
         ReviewApplicationRoleOpportunityTypeMap[dto.role] !== opportunity.type
       ) {
         throw new BadRequestException(

src/api/submission/submission.controller.ts

@@ -197,7 +197,8 @@ export class SubmissionController {
     this.logger.log(
       `Getting submissions with filters - ${JSON.stringify(queryDto)}`,
     );
-    const authUser: JwtUser = req['user'] as JwtUser;
+    const authUser: JwtUser =
+      (req['user'] as JwtUser) ?? ({ isMachine: false, roles: [] } as JwtUser);
     return this.service.listSubmission(
       authUser,
       queryDto,

src/api/submission/submission.service.spec.ts

@@ -510,6 +510,7 @@ describe('SubmissionService', () => {
       reviewType: {
         findMany: jest.Mock;
       };
+      $queryRaw: jest.Mock;
     };
     let prismaErrorServiceMock: { handleError: jest.Mock };
     let challengePrismaMock: {
@@ -537,9 +538,14 @@ describe('SubmissionService', () => {
         reviewType: {
           findMany: jest.fn().mockResolvedValue([]),
         },
+        $queryRaw: jest.fn().mockResolvedValue([]),
       };
       prismaErrorServiceMock = {
-        handleError: jest.fn(),
+        handleError: jest.fn().mockReturnValue({
+          message: 'Unexpected error',
+          code: 'INTERNAL_ERROR',
+          details: {},
+        }),
       };
       challengePrismaMock = {
         $queryRaw: jest.fn().mockResolvedValue([]),
@@ -624,6 +630,7 @@ describe('SubmissionService', () => {
       prismaMock.submission.findFirst.mockResolvedValue({
         id: 'submission-new',
       });
+      prismaMock.$queryRaw.mockResolvedValue([{ id: 'submission-new' }]);
 
       const result = await listService.listSubmission(
         { isMachine: false } as any,
@@ -1241,5 +1248,56 @@ describe('SubmissionService', () => {
       expect(screeningReview?.reviewerHandle).toBe('screeningHandle');
       expect(screeningReview?.reviewerMaxRating).toBe(2000);
     });
+
+    it('exposes submitter identity but strips reviews for anonymous challenge queries', async () => {
+      const now = new Date('2025-02-01T12:00:00Z');
+      const submissions = [
+        {
+          id: 'submission-anon',
+          challengeId: 'challenge-1',
+          memberId: '101',
+          submittedDate: now,
+          createdAt: now,
+          updatedAt: now,
+          type: SubmissionType.CONTEST_SUBMISSION,
+          status: SubmissionStatus.ACTIVE,
+          review: [{ id: 'review-public', score: 100 }],
+          reviewSummation: [{ id: 'summation-public' }],
+          url: 'https://example.com/submission.zip',
+          legacyChallengeId: null,
+          prizeId: null,
+        },
+      ];
+
+      prismaMock.submission.findMany.mockResolvedValue(
+        submissions.map((entry) => ({ ...entry })),
+      );
+      prismaMock.submission.count.mockResolvedValue(submissions.length);
+      prismaMock.submission.findFirst.mockResolvedValue({
+        id: 'submission-anon',
+      });
+
+      memberPrismaMock.member.findMany.mockResolvedValue([
+        {
+          userId: BigInt(101),
+          handle: 'anonUser',
+          maxRating: { rating: 1500 },
+        },
+      ]);
+
+      const result = await listService.listSubmission(
+        { isMachine: false, roles: [] } as any,
+        { challengeId: 'challenge-1' } as any,
+        { page: 1, perPage: 10 } as any,
+      );
+
+      const submissionResult = result.data[0];
+      expect(submissionResult.memberId).toBe('101');
+      expect(submissionResult.submitterHandle).toBe('anonUser');
+      expect(submissionResult.submitterMaxRating).toBe(1500);
+      expect(submissionResult).not.toHaveProperty('review');
+      expect(submissionResult).not.toHaveProperty('reviewSummation');
+      expect(submissionResult.url).toBeNull();
+    });
   });
 });

src/api/submission/submission.service.ts

@@ -1812,9 +1812,9 @@ export class SubmissionService {
         : undefined;
 
       if (requestedMemberId) {
-        const userId = authUser.userId ? String(authUser.userId) : undefined;
+        const userId = authUser?.userId ? String(authUser.userId) : undefined;
         const isRequestingMember = userId === requestedMemberId;
-        const hasCopilotRole = (authUser.roles ?? []).includes(
+        const hasCopilotRole = (authUser?.roles ?? []).includes(
           UserRole.Copilot,
         );
         const hasElevatedAccess = isAdmin(authUser) || hasCopilotRole;
@@ -1862,7 +1862,7 @@ export class SubmissionService {
           : '';
 
       let restrictedChallengeIds = new Set<string>();
-      if (!isPrivilegedRequester && requesterUserId) {
+      if (!isPrivilegedRequester && requesterUserId && !queryDto.challengeId) {
         try {
           restrictedChallengeIds =
             await this.getActiveSubmitterRestrictedChallengeIds(
@@ -1885,7 +1885,8 @@ export class SubmissionService {
       if (
         !isPrivilegedRequester &&
         requesterUserId &&
-        restrictedChallengeIds.size
+        restrictedChallengeIds.size &&
+        !queryDto.challengeId
       ) {
         const restrictedList = Array.from(restrictedChallengeIds);
         const restrictionCriteria: Prisma.submissionWhereInput = {
@@ -1928,12 +1929,16 @@ export class SubmissionService {
         orderBy,
       });
 
-      // Enrich with submitter handle and max rating for authorized callers
-      const canViewSubmitter = await this.canViewSubmitterIdentity(
-        authUser,
-        queryDto.challengeId,
-      );
-      if (canViewSubmitter && submissions.length) {
+      // Enrich with submitter handle and max rating (always for challenge listings)
+      const shouldEnrichSubmitter =
+        submissions.length > 0 &&
+        (queryDto.challengeId
+          ? true
+          : await this.canViewSubmitterIdentity(
+              authUser,
+              queryDto.challengeId,
+            ));
+      if (shouldEnrichSubmitter) {
         try {
           const memberIds = Array.from(
             new Set(
@@ -1943,11 +1948,24 @@ export class SubmissionService {
             ),
           );
           if (memberIds.length) {
-            const idsAsBigInt = memberIds.map((id) => BigInt(id));
-            const members = await this.memberPrisma.member.findMany({
-              where: { userId: { in: idsAsBigInt } },
-              include: { maxRating: true },
-            });
+            const idsAsBigInt: bigint[] = [];
+            for (const id of memberIds) {
+              try {
+                idsAsBigInt.push(BigInt(id));
+              } catch (error) {
+                this.logger.debug(
+                  `[listSubmission] Skipping submitter ${id}: unable to convert to BigInt. ${error}`,
+                );
+              }
+            }
+
+            const members =
+              idsAsBigInt.length > 0
+                ? await this.memberPrisma.member.findMany({
+                    where: { userId: { in: idsAsBigInt } },
+                    include: { maxRating: true },
+                  })
+                : [];
             const map = new Map<
               string,
               { handle: string; maxRating: number | null }
@@ -2001,11 +2019,6 @@ export class SubmissionService {
         submissions,
         reviewVisibilityContext,
       );
-      this.stripSubmitterMemberIds(
-        authUser,
-        submissions,
-        reviewVisibilityContext,
-      );
       await this.stripIsLatestForUnlimitedChallenges(submissions);
 
       this.logger.log(
@@ -2408,25 +2421,43 @@ export class SubmissionService {
       return emptyContext;
     }
 
+    const requesterUserId =
+      authUser?.userId !== undefined && authUser?.userId !== null
+        ? String(authUser.userId).trim()
+        : '';
+
     const isPrivilegedRequester = authUser?.isMachine || isAdmin(authUser);
+    if (!isPrivilegedRequester && !requesterUserId) {
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+      }
+      return {
+        ...emptyContext,
+        requesterUserId,
+      };
+    }
+
     if (isPrivilegedRequester) {
-      const requesterUserId =
-        authUser?.userId !== undefined && authUser?.userId !== null
-          ? String(authUser.userId).trim()
-          : '';
       return {
         ...emptyContext,
         requesterUserId,
       };
     }
 
-    const uid =
-      authUser?.userId !== undefined && authUser?.userId !== null
-        ? String(authUser.userId).trim()
-        : '';
+    const uid = requesterUserId;
 
     if (!uid) {
-      return emptyContext;
+      return {
+        ...emptyContext,
+        requesterUserId,
+      };
     }
 
     const challengeIds = Array.from(
@@ -3397,7 +3428,26 @@ export class SubmissionService {
     }
 
     const uid = visibilityContext.requesterUserId;
+    this.logger.debug(
+      `[stripSubmitterSubmissionDetails] requesterUserId=${uid ?? '<undefined>'}`,
+    );
     if (!uid) {
+      this.logger.debug(
+        '[stripSubmitterSubmissionDetails] Anonymized requester; removing review metadata and URLs.',
+      );
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+        if (Object.prototype.hasOwnProperty.call(submission, 'url')) {
+          (submission as any).url = null;
+        }
+      }
       return;
     }
 
@@ -3472,6 +3522,19 @@ export class SubmissionService {
 
     const uid = visibilityContext.requesterUserId;
     if (!uid) {
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+        if (Object.prototype.hasOwnProperty.call(submission, 'url')) {
+          (submission as any).url = null;
+        }
+      }
       return;
     }
 

src/dto/reviewApplication.dto.ts

@@ -1,4 +1,5 @@
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import type { ReviewOpportunityType as PrismaReviewOpportunityType } from '@prisma/client';
 import { IsIn, IsNotEmpty, IsOptional, IsString } from 'class-validator';
 import { ReviewOpportunityType } from './reviewOpportunity.dto';
 
@@ -37,7 +38,7 @@ export const ReviewApplicationRoleIds: Record<ReviewApplicationRole, number> = {
 // read from review_application_role_lu.review_auction_type_id
 export const ReviewApplicationRoleOpportunityTypeMap: Record<
   ReviewApplicationRole,
-  ReviewOpportunityType
+  PrismaReviewOpportunityType
 > = {
   PRIMARY_REVIEWER: ReviewOpportunityType.COMPONENT_DEV_REVIEW,
   SECONDARY_REVIEWER: ReviewOpportunityType.COMPONENT_DEV_REVIEW,

src/shared/guards/tokenRoles.guard.spec.ts

@@ -20,7 +20,7 @@ describe('TokenRolesGuard', () => {
   type TestRequest = Record<string, unknown> & {
     method: string;
     query: Record<string, unknown>;
-    user: {
+    user?: {
       userId: string;
       isMachine: boolean;
       roles?: unknown[];
@@ -132,5 +132,16 @@ describe('TokenRolesGuard', () => {
 
       expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
     });
+
+    it('allows anonymous access when challengeId is provided', () => {
+      const request = {
+        method: 'GET',
+        query: { challengeId: '12345' },
+      };
+
+      const context = createExecutionContext(request as TestRequest);
+
+      expect(guard.canActivate(context)).toBe(true);
+    });
   });
 });