Allow all users, including anonymous, to pull submission details (not including reviews)

Author: jmgasper

package.json

@@ -49,7 +49,7 @@
     "pg-boss": "^11.0.5",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
-    "tc-core-library-js": "appirio-tech/tc-core-library-js.git#security"
+    "tc-core-library-js": "topcoder-platform/tc-core-library-js.git#master"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",

pnpm-lock.yaml

@@ -197,7 +197,8 @@ export class SubmissionController {
     this.logger.log(
       `Getting submissions with filters - ${JSON.stringify(queryDto)}`,
     );
-    const authUser: JwtUser = req['user'] as JwtUser;
+    const authUser: JwtUser =
+      (req['user'] as JwtUser) ?? ({ isMachine: false, roles: [] } as JwtUser);
     return this.service.listSubmission(
       authUser,
       queryDto,

src/api/submission/submission.controller.ts

@@ -510,6 +510,7 @@ describe('SubmissionService', () => {
       reviewType: {
         findMany: jest.Mock;
       };
+      $queryRaw: jest.Mock;
     };
     let prismaErrorServiceMock: { handleError: jest.Mock };
     let challengePrismaMock: {
@@ -537,9 +538,14 @@ describe('SubmissionService', () => {
         reviewType: {
           findMany: jest.fn().mockResolvedValue([]),
         },
+        $queryRaw: jest.fn().mockResolvedValue([]),
       };
       prismaErrorServiceMock = {
-        handleError: jest.fn(),
+        handleError: jest.fn().mockReturnValue({
+          message: 'Unexpected error',
+          code: 'INTERNAL_ERROR',
+          details: {},
+        }),
       };
       challengePrismaMock = {
         $queryRaw: jest.fn().mockResolvedValue([]),
@@ -624,6 +630,7 @@ describe('SubmissionService', () => {
       prismaMock.submission.findFirst.mockResolvedValue({
         id: 'submission-new',
       });
+      prismaMock.$queryRaw.mockResolvedValue([{ id: 'submission-new' }]);
 
       const result = await listService.listSubmission(
         { isMachine: false } as any,
@@ -1241,5 +1248,56 @@ describe('SubmissionService', () => {
       expect(screeningReview?.reviewerHandle).toBe('screeningHandle');
       expect(screeningReview?.reviewerMaxRating).toBe(2000);
     });
+
+    it('exposes submitter identity but strips reviews for anonymous challenge queries', async () => {
+      const now = new Date('2025-02-01T12:00:00Z');
+      const submissions = [
+        {
+          id: 'submission-anon',
+          challengeId: 'challenge-1',
+          memberId: '101',
+          submittedDate: now,
+          createdAt: now,
+          updatedAt: now,
+          type: SubmissionType.CONTEST_SUBMISSION,
+          status: SubmissionStatus.ACTIVE,
+          review: [{ id: 'review-public', score: 100 }],
+          reviewSummation: [{ id: 'summation-public' }],
+          url: 'https://example.com/submission.zip',
+          legacyChallengeId: null,
+          prizeId: null,
+        },
+      ];
+
+      prismaMock.submission.findMany.mockResolvedValue(
+        submissions.map((entry) => ({ ...entry })),
+      );
+      prismaMock.submission.count.mockResolvedValue(submissions.length);
+      prismaMock.submission.findFirst.mockResolvedValue({
+        id: 'submission-anon',
+      });
+
+      memberPrismaMock.member.findMany.mockResolvedValue([
+        {
+          userId: BigInt(101),
+          handle: 'anonUser',
+          maxRating: { rating: 1500 },
+        },
+      ]);
+
+      const result = await listService.listSubmission(
+        { isMachine: false, roles: [] } as any,
+        { challengeId: 'challenge-1' } as any,
+        { page: 1, perPage: 10 } as any,
+      );
+
+      const submissionResult = result.data[0];
+      expect(submissionResult.memberId).toBe('101');
+      expect(submissionResult.submitterHandle).toBe('anonUser');
+      expect(submissionResult.submitterMaxRating).toBe(1500);
+      expect(submissionResult).not.toHaveProperty('review');
+      expect(submissionResult).not.toHaveProperty('reviewSummation');
+      expect(submissionResult.url).toBeNull();
+    });
   });
 });

src/api/submission/submission.service.spec.ts

@@ -1808,9 +1808,11 @@ export class SubmissionService {
         : undefined;
 
       if (requestedMemberId) {
-        const userId = authUser.userId ? String(authUser.userId) : undefined;
+        const userId = authUser?.userId
+          ? String(authUser.userId)
+          : undefined;
         const isRequestingMember = userId === requestedMemberId;
-        const hasCopilotRole = (authUser.roles ?? []).includes(
+        const hasCopilotRole = (authUser?.roles ?? []).includes(
           UserRole.Copilot,
         );
         const hasElevatedAccess = isAdmin(authUser) || hasCopilotRole;
@@ -1858,7 +1860,11 @@ export class SubmissionService {
           : '';
 
       let restrictedChallengeIds = new Set<string>();
-      if (!isPrivilegedRequester && requesterUserId) {
+      if (
+        !isPrivilegedRequester &&
+        requesterUserId &&
+        !queryDto.challengeId
+      ) {
         try {
           restrictedChallengeIds =
             await this.getActiveSubmitterRestrictedChallengeIds(
@@ -1881,7 +1887,8 @@ export class SubmissionService {
       if (
         !isPrivilegedRequester &&
         requesterUserId &&
-        restrictedChallengeIds.size
+        restrictedChallengeIds.size &&
+        !queryDto.challengeId
       ) {
         const restrictedList = Array.from(restrictedChallengeIds);
         const restrictionCriteria: Prisma.submissionWhereInput = {
@@ -1924,12 +1931,13 @@ export class SubmissionService {
         orderBy,
       });
 
-      // Enrich with submitter handle and max rating for authorized callers
-      const canViewSubmitter = await this.canViewSubmitterIdentity(
-        authUser,
-        queryDto.challengeId,
-      );
-      if (canViewSubmitter && submissions.length) {
+      // Enrich with submitter handle and max rating (always for challenge listings)
+      const shouldEnrichSubmitter =
+        submissions.length > 0 &&
+        (queryDto.challengeId
+          ? true
+          : await this.canViewSubmitterIdentity(authUser, queryDto.challengeId));
+      if (shouldEnrichSubmitter) {
         try {
           const memberIds = Array.from(
             new Set(
@@ -1939,11 +1947,24 @@ export class SubmissionService {
             ),
           );
           if (memberIds.length) {
-            const idsAsBigInt = memberIds.map((id) => BigInt(id));
-            const members = await this.memberPrisma.member.findMany({
-              where: { userId: { in: idsAsBigInt } },
-              include: { maxRating: true },
-            });
+            const idsAsBigInt: bigint[] = [];
+            for (const id of memberIds) {
+              try {
+                idsAsBigInt.push(BigInt(id));
+              } catch (error) {
+                this.logger.debug(
+                  `[listSubmission] Skipping submitter ${id}: unable to convert to BigInt. ${error}`,
+                );
+              }
+            }
+
+            const members =
+              idsAsBigInt.length > 0
+                ? await this.memberPrisma.member.findMany({
+                    where: { userId: { in: idsAsBigInt } },
+                    include: { maxRating: true },
+                  })
+                : [];
             const map = new Map<
               string,
               { handle: string; maxRating: number | null }
@@ -1997,11 +2018,6 @@ export class SubmissionService {
         submissions,
         reviewVisibilityContext,
       );
-      this.stripSubmitterMemberIds(
-        authUser,
-        submissions,
-        reviewVisibilityContext,
-      );
       await this.stripIsLatestForUnlimitedChallenges(submissions);
 
       this.logger.log(
@@ -2404,25 +2420,43 @@ export class SubmissionService {
       return emptyContext;
     }
 
+    const requesterUserId =
+      authUser?.userId !== undefined && authUser?.userId !== null
+        ? String(authUser.userId).trim()
+        : '';
+
     const isPrivilegedRequester = authUser?.isMachine || isAdmin(authUser);
+    if (!isPrivilegedRequester && !requesterUserId) {
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+      }
+      return {
+        ...emptyContext,
+        requesterUserId,
+      };
+    }
+
     if (isPrivilegedRequester) {
-      const requesterUserId =
-        authUser?.userId !== undefined && authUser?.userId !== null
-          ? String(authUser.userId).trim()
-          : '';
       return {
         ...emptyContext,
         requesterUserId,
       };
     }
 
-    const uid =
-      authUser?.userId !== undefined && authUser?.userId !== null
-        ? String(authUser.userId).trim()
-        : '';
+    const uid = requesterUserId;
 
     if (!uid) {
-      return emptyContext;
+      return {
+        ...emptyContext,
+        requesterUserId,
+      };
     }
 
     const challengeIds = Array.from(
@@ -3393,7 +3427,26 @@ export class SubmissionService {
     }
 
     const uid = visibilityContext.requesterUserId;
+    this.logger.debug(
+      `[stripSubmitterSubmissionDetails] requesterUserId=${uid ?? '<undefined>'}`,
+    );
     if (!uid) {
+      this.logger.debug(
+        '[stripSubmitterSubmissionDetails] Anonymized requester; removing review metadata and URLs.',
+      );
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+        if (Object.prototype.hasOwnProperty.call(submission, 'url')) {
+          (submission as any).url = null;
+        }
+      }
       return;
     }
 
@@ -3468,6 +3521,19 @@ export class SubmissionService {
 
     const uid = visibilityContext.requesterUserId;
     if (!uid) {
+      for (const submission of submissions) {
+        if (Object.prototype.hasOwnProperty.call(submission, 'review')) {
+          delete (submission as any).review;
+        }
+        if (
+          Object.prototype.hasOwnProperty.call(submission, 'reviewSummation')
+        ) {
+          delete (submission as any).reviewSummation;
+        }
+        if (Object.prototype.hasOwnProperty.call(submission, 'url')) {
+          (submission as any).url = null;
+        }
+      }
       return;
     }
 

src/api/submission/submission.service.ts

@@ -20,7 +20,7 @@ describe('TokenRolesGuard', () => {
   type TestRequest = Record<string, unknown> & {
     method: string;
     query: Record<string, unknown>;
-    user: {
+    user?: {
       userId: string;
       isMachine: boolean;
       roles?: unknown[];
@@ -132,5 +132,16 @@ describe('TokenRolesGuard', () => {
 
       expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
     });
+
+    it('allows anonymous access when challengeId is provided', () => {
+      const request = {
+        method: 'GET',
+        query: { challengeId: '12345' },
+      };
+
+      const context = createExecutionContext(request as TestRequest);
+
+      expect(guard.canActivate(context)).toBe(true);
+    });
   });
 });