updated from develop

hentrymartin · hentrymartin · commit b4a8a29fcd75 · 2025-09-20T00:27:48.000+02:00
diff --git a/src/api/ai-workflow/ai-workflow.service.ts b/src/api/ai-workflow/ai-workflow.service.ts
@@ -159,7 +159,7 @@ export class AiWorkflowService {
     }
 
     if (!user.userId) {
-      throw new BadRequestException(`User id not available`);
+      throw new BadRequestException(`User id is not available`);
     }
 
     const createdComment = await this.prisma.aiWorkflowRunItemComment.create({
diff --git a/src/api/review/review.service.spec.ts b/src/api/review/review.service.spec.ts
@@ -407,6 +407,28 @@ describe('ReviewService.updateReview challenge status enforcement', () => {
     expect(recomputeSpy).toHaveBeenCalledWith('review-1');
   });
 
+  it('rejects attempts to change immutable identifiers', async () => {
+    await expect(
+      service.updateReview(nonPrivilegedUser, 'review-1', {
+        ...updatePayload,
+        resourceId: 'new-resource',
+      }),
+    ).rejects.toMatchObject({
+      status: 400,
+      response: expect.objectContaining({
+        code: 'REVIEW_UPDATE_IMMUTABLE_FIELDS',
+        details: expect.objectContaining({
+          reviewId: 'review-1',
+          fields: ['resourceId'],
+        }),
+      }),
+    });
+
+    expect(prismaMock.review.findUnique).not.toHaveBeenCalled();
+    expect(prismaMock.review.update).not.toHaveBeenCalled();
+    expect(challengeApiServiceMock.getChallengeDetail).not.toHaveBeenCalled();
+  });
+
   it('allows reviewer tokens to update when the challenge is not completed', async () => {
     const result = await service.updateReview(
       nonPrivilegedUser,
diff --git a/src/api/review/review.service.ts b/src/api/review/review.service.ts
@@ -610,6 +610,21 @@ export class ReviewService {
   ): Promise<ReviewResponseDto> {
     this.logger.log(`Updating review with ID: ${id}`);
 
+    const immutableFields = ['resourceId', 'phaseId', 'submissionId'] as const;
+    const forbiddenUpdates = immutableFields.filter(
+      (field) => (body as Record<string, unknown>)[field] !== undefined,
+    );
+
+    if (forbiddenUpdates.length > 0) {
+      throw new BadRequestException({
+        message: `The following fields cannot be updated: ${forbiddenUpdates.join(
+          ', ',
+        )}.`,
+        code: 'REVIEW_UPDATE_IMMUTABLE_FIELDS',
+        details: { reviewId: id, fields: forbiddenUpdates },
+      });
+    }
+
     const existingReview = await this.prisma.review.findUnique({
       where: { id },
       include: {
diff --git a/src/dto/review.dto.ts b/src/dto/review.dto.ts
@@ -1,4 +1,4 @@
-import { ApiProperty } from '@nestjs/swagger';
+import { ApiHideProperty, ApiProperty, OmitType } from '@nestjs/swagger';
 import { Type } from 'class-transformer';
 import {
   IsString,
@@ -12,6 +12,7 @@ import {
   ValidateNested,
   IsEnum,
   IsInt,
+  IsEmpty,
 } from 'class-validator';
 
 export enum ReviewItemCommentType {
@@ -282,35 +283,38 @@ export class ReviewRequestDto extends ReviewCommonDto {
   reviewItems?: ReviewItemRequestDto[];
 }
 
-export class ReviewPutRequestDto extends ReviewCommonDto {}
+const ReviewPutBase = OmitType(ReviewCommonDto, [
+  'resourceId',
+  'phaseId',
+  'submissionId',
+] as const);
+
+export class ReviewPutRequestDto extends ReviewPutBase {
+  @ApiHideProperty()
+  @IsEmpty({ message: 'resourceId cannot be updated.' })
+  resourceId?: never;
+
+  @ApiHideProperty()
+  @IsEmpty({ message: 'phaseId cannot be updated.' })
+  phaseId?: never;
+
+  @ApiHideProperty()
+  @IsEmpty({ message: 'submissionId cannot be updated.' })
+  submissionId?: never;
+}
 
 export class ReviewPatchRequestDto {
-  @ApiProperty({
-    description: 'Resource ID associated with the review',
-    example: 'resource123',
-  })
-  @IsOptional()
-  @IsString()
-  @IsNotEmpty()
-  resourceId?: string;
+  @ApiHideProperty()
+  @IsEmpty({ message: 'resourceId cannot be updated.' })
+  resourceId?: never;
 
-  @ApiProperty({
-    description: 'Phase ID of the challenge',
-    example: 'phase456',
-  })
-  @IsOptional()
-  @IsString()
-  @IsNotEmpty()
-  phaseId?: string;
+  @ApiHideProperty()
+  @IsEmpty({ message: 'phaseId cannot be updated.' })
+  phaseId?: never;
 
-  @ApiProperty({
-    description: 'Submission ID being reviewed',
-    example: 'submission789',
-  })
-  @IsOptional()
-  @IsString()
-  @IsNotEmpty()
-  submissionId?: string;
+  @ApiHideProperty()
+  @IsEmpty({ message: 'submissionId cannot be updated.' })
+  submissionId?: never;
 
   @ApiProperty({
     description: 'Scorecard ID used for the review',
@@ -450,9 +454,13 @@ export function mapReviewRequestToDto(
       },
     };
   } else {
-    return {
-      ...request,
-    };
+    const sanitizedRequest = { ...request } as Partial<ReviewPatchRequestDto> &
+      Record<string, unknown>;
+    ['resourceId', 'phaseId', 'submissionId'].forEach((field) => {
+      delete sanitizedRequest[field];
+    });
+
+    return sanitizedRequest as ReviewPatchRequestDto;
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ export class AiWorkflowService {`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`if (!user.userId) {`
`162`		- throw new BadRequestException(`User id not available`);
	`162`	+ throw new BadRequestException(`User id is not available`);
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`const createdComment = await this.prisma.aiWorkflowRunItemComment.create({`