staging into main 20250512

Gemfile

@@ -25,6 +25,7 @@ gem 'pundit'
 gem 'redis', '~> 5.0'
 gem 'sentry-ruby'
 gem 'sentry-rails'
+gem 'stackprof'
 gem 'sidekiq', '~> 7.3'
 gem 'sassc-rails'
 gem 'simple_form', '~> 5.3'

Gemfile.lock

@@ -317,14 +317,15 @@ GEM
       rspec-mocks (~> 3.12)
       rspec-support (~> 3.12)
     racc (1.8.1)
-    rack (3.1.12)
+    rack (3.1.14)
     rack-accept (0.4.5)
       rack (>= 0.4)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
-    rack-session (2.0.0)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
@@ -500,6 +501,7 @@ GEM
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
+    stackprof (0.2.27)
     stimulus-rails (1.3.4)
       railties (>= 6.0.0)
     stringio (3.1.1)
@@ -600,6 +602,7 @@ DEPENDENCIES
   simple_form (~> 5.3)
   simplecov
   skylight
+  stackprof
   stimulus-rails
   turbo-rails
   turnout2024

app/controllers/entries_controller.rb

@@ -139,7 +139,7 @@ def set_entry
 
     # For applicant_profile, we want to find the entry first, then authorize it
     def set_entry_for_profile
-      @entry = Entry.find(params[:id])
+      @entry = policy_scope(Entry).find(params[:id])
     end
 
     def authorize_entry

app/controllers/round_judge_assignments_controller.rb

@@ -11,7 +11,7 @@ def index
 
   def create
     @round_judge_assignment = @judging_round.round_judge_assignments.build(round_judge_assignment_params)
-    
+
     if @round_judge_assignment.save
       redirect_to container_contest_description_contest_instance_judging_round_round_judge_assignments_path(
         @container, @contest_description, @contest_instance, @judging_round
@@ -33,7 +33,7 @@ def destroy
   private
 
   def set_judging_round
-    @container = Container.find(params[:container_id])
+    @container = policy_scope(Container).find(params[:container_id])
     @contest_description = @container.contest_descriptions.find(params[:contest_description_id])
     @contest_instance = @contest_description.contest_instances.find(params[:contest_instance_id])
     @judging_round = @contest_instance.judging_rounds.find(params[:judging_round_id])

app/controllers/user_roles_controller.rb

@@ -54,7 +54,7 @@ def destroy
   private
 
   def set_user_role
-    @user_role = UserRole.find(params[:id])
+    @user_role = policy_scope(UserRole).find(params[:id])
   end
 
   def user_role_params

app/views/applicant_dashboard/_available_contests.html.erb

@@ -3,7 +3,7 @@
   <% if params[:filter] && (params[:filter][:department_id].present? || params[:filter][:container_id].present?) %>
     <h2>Filtered Contests</h2>
     <p>
-      Showing contests for 
+      Showing contests for
       <% if params[:filter][:department_id].present? %>
         <% department = Department.find_by(id: params[:filter][:department_id]) %>
         <% if department %>
@@ -44,12 +44,12 @@
       <% end %>
     <% end %>
   </div>
-  
+
   <% if @active_contests_by_container.any? %>
     <% @active_contests_by_container.each do |container, contests| %>
       <%= render partial: 'applicant_dashboard/contest_table', locals: { container: container, contests: contests } %>
     <% end %>
   <% else %>
     <p>No active contests available for your class level.</p>
   <% end %>
-</div>
+</div>

app/views/applicant_dashboard/_contest_table.html.erb

@@ -24,7 +24,7 @@
                           data: { 'bs-toggle': 'tooltip' },
                           title: 'Enter contest',
                           aria: { label: 'Enter contest' } do %>
-                <i class="bi bi-pencil" style="font-size: 1.5rem;" aria-hidden="true"></i>
+                <i class="bi bi-send-arrow-up" style="font-size: 1.5rem;" aria-hidden="true"></i>
                 <span class="visually-hidden">Enter instance</span>
               <% end %>
             </td>
@@ -33,4 +33,4 @@
       </tbody>
     </table>
   </div>
-</div>
+</div>

app/views/applicant_dashboard/_inactive_submissions_summary.html.erb

@@ -0,0 +1,56 @@
+<div class="card bg-light mt-4">
+  <div class="card-header bg-light">
+    <div class="d-flex align-items-center">
+      <i class="bi bi-clock-history me-2 text-muted"></i>
+      <h5 class="card-title mb-0 text-muted">Past Contest Entries</h5>
+    </div>
+  </div>
+  <div class="card-body p-0">
+    <% if (content = render_editable_content('applicant_dashboard', 'inactivesubmission_summary')) %>
+      <div class="p-3 border-bottom">
+        <%= content %>
+      </div>
+    <% end %>
+    <div class="table-responsive">
+      <table class="table table-sm table-hover mb-0">
+        <thead class="table-light">
+          <tr>
+            <th>Contest</th>
+            <th>Title</th>
+            <th>Type</th>
+            <th>Submitted</th>
+            <th class="text-center">Entry</th>
+          </tr>
+        </thead>
+        <tbody>
+          <% @entries.joins(:contest_instance).where(contest_instances: { active: false }).each do |entry| %>
+            <tr id="<%= dom_id(entry) %>" data-controller="fade-out">
+              <td><small><%= "#{entry.contest_instance.contest_description.name } - #{entry.contest_instance.date_open.year}" %></small></td>
+              <td><small><%= entry.title %></small></td>
+              <td><small><%= entry.category.kind %></small></td>
+              <td><small><%= entry.created_at.strftime("%b %d, %Y") %></small></td>
+              <td class="text-center">
+                <% if entry.entry_file.attached? %>
+                  <div class="d-flex flex-row justify-content-center">
+                    <%= link_to rails_blob_path(entry.entry_file, disposition: "inline"),
+                                target: "_blank", rel: "noopener", class: "me-2",
+                                title: "View in new tab", aria: { label: "View file" } do %>
+                      <i class="bi bi-eye text-muted" style="font-size: 1.2rem;" aria-hidden="true"></i>
+                    <% end %>
+                    <%= link_to rails_blob_path(entry.entry_file, disposition: "attachment"),
+                                download: "", class: "me-2",
+                                title: "Download file", aria: { label: "Download file" } do %>
+                      <i class="bi bi-download text-muted" style="font-size: 1.2rem;" aria-hidden="true"></i>
+                    <% end %>
+                  </div>
+                <% else %>
+                  <small class="text-muted">No file</small>
+                <% end %>
+              </td>
+            </tr>
+          <% end %>
+        </tbody>
+      </table>
+    </div>
+  </div>
+</div>

app/views/applicant_dashboard/_submissions_summary.html.erb

@@ -1,6 +1,6 @@
 <div class="mt-4">
   <div class="">
-    <h2 class="">Contests You Have Entered:</h2>
+    <h2 class="">Active Contests You Have Entered:</h2>
     <% if (content = render_editable_content('applicant_dashboard', 'submission_summary')) %>
       <%= content %>
     <% end %>
@@ -18,22 +18,26 @@
         </tr>
       </thead>
       <tbody>
-        <% @entries.each do |entry| %>
+        <% @entries.joins(:contest_instance).where(contest_instances: { active: true }).each do |entry| %>
           <tr id="<%= dom_id(entry) %>" data-controller="fade-out">
             <td><%= "#{entry.contest_instance.contest_description.name } - #{entry.contest_instance.date_open.year}" %></td>
             <td><%= entry.title %></td>
             <td><%= entry.category.kind %></td>
             <td><%= entry.created_at.strftime("%B %d, %Y") %></td>
             <td class="text-center">
               <% if entry.entry_file.attached? %>
-                <%= link_to rails_blob_path(entry.entry_file, disposition: "inline"), target: "_blank", rel: "noopener", class: "me-2", title: "View in new tab" do %>
-                  <i class="bi bi-eye" style="font-size: 1.5rem;" aria-hidden="true"></i>
-                  <span class="visually-hidden">View file</span>
-                <% end %>
-                <%= link_to rails_blob_path(entry.entry_file, disposition: "attachment"), download: "", class: "me-2", title: "Download file" do %>
-                  <i class="bi bi-download" style="font-size: 1.5rem;" aria-hidden="true"></i>
-                  <span class="visually-hidden">Download file</span>
-                <% end %>
+                <div class="d-flex flex-row justify-content-center">
+                  <%= link_to rails_blob_path(entry.entry_file, disposition: "inline"),
+                              target: "_blank", rel: "noopener", class: "me-2",
+                              title: "View in new tab", aria: { label: "View file" } do %>
+                    <i class="bi bi-eye" style="font-size: 1.5rem;" aria-hidden="true"></i>
+                  <% end %>
+                  <%= link_to rails_blob_path(entry.entry_file, disposition: "attachment"),
+                              download: "", class: "me-2",
+                              title: "Download file", aria: { label: "Download file" } do %>
+                    <i class="bi bi-download" style="font-size: 1.5rem;" aria-hidden="true"></i>
+                  <% end %>
+                </div>
               <% else %>
                 No file attached
               <% end %>
@@ -61,4 +65,4 @@
       </tbody>
     </table>
   </div>
-</div>
+</div>

app/views/applicant_dashboard/index.html.erb

@@ -13,14 +13,20 @@
           <%= render 'applicant_dashboard/opportunities' %>
         </div>
       </div>
+      <div class="row">
+        <div class="col-12 available-contests" id="available-contests">
+          <%= render 'applicant_dashboard/available_contests' %>
+        </div>
+      </div>
       <div class="row">
         <div class="col-12 submissions-summary" id="submissions-summary">
           <%= render 'applicant_dashboard/submissions_summary', submissions: @submissions %>
         </div>
       </div>
+      <hr class="my-4 w-75 mx-auto">
       <div class="row">
-        <div class="col-12 available-contests" id="available-contests">
-          <%= render 'applicant_dashboard/available_contests' %>
+        <div class="col-12 submissions-summary" id="inactive-submissions-summary">
+          <%= render 'applicant_dashboard/inactive_submissions_summary', submissions: @submissions %>
         </div>
       </div>
     </div>

app/views/containers/_form.html.erb

@@ -1,4 +1,7 @@
 <div id="container_form">
+  <% if (content = render_editable_content('container', 'form_instructions')) %>
+    <%= content %>
+  <% end %>
   <%= simple_form_for(@container, html: { id: 'new_container_form' }) do |f| %>
     <%= f.error_notification %>
     <%= f.error_notification message: f.object.errors[:base].to_sentence if f.object.errors[:base].present? %>
@@ -17,10 +20,11 @@
 
       <%= f.input :visibility_id,
                   collection: Visibility.all,
+                  label: 'Dashboard Visibility',
                   label_method: :kind,
                   value_method: :id,
                   hint: safe_join([
-                    content_tag(:strong, "Public"), " visibility means that this collection of contests will be visible in the applicant's dashboard. ",
+                    content_tag(:strong, "Public"), " visibility means that this collection of contests will be visible to all user's of LSA Evaluate.",
                     tag(:br),
                     content_tag(:strong, "Private"), " visibility requires you provide a special link to applicants in order for them to apply to this collection of contests, it will NOT be visible in the applicant's dashboard."
                   ]),

app/views/shared/_footer.html.erb

@@ -4,13 +4,19 @@
       <p class="d-none d-md-block">
         <%= image_tag 'LSA_Technology_logo.svg', alt: 'LSA Technology Logo', class: "img-fluid" %>
         <% if user_signed_in? && current_user.axis_mundi? %>
-          <%= link_to editable_contents_path, class: "edit-icon", data: { bs_toggle: "tooltip", bs_placement: "top" }, title: "Edit the text blocks in the application" do %>
-            <i class="bi bi-pencil" aria-label="Edit Content"></i>
-          <% end %>
-          |
-           <%= link_to users_dashboard_index_path, class: "profile-icon", data: { bs_toggle: "tooltip", bs_placement: "top" }, title: "Users Dashboard" do %>
-            <i class="bi bi-people" aria-label="Users Dashboard"></i>
-          <% end %>
+          <div class="d-flex flex-row justify-content-center">
+            <%= link_to editable_contents_path, class: "edit-icon", data: { bs_toggle: "tooltip", bs_placement: "top" }, title: "Edit the text blocks in the application" do %>
+              <i class="bi bi-pencil-fill" aria-label="Edit Instruction Content"></i>
+            <% end %>
+            <span class="mx-2 align-middle text-secondary">|</span>
+            <%= link_to users_dashboard_index_path, class: "profile-icon", data: { bs_toggle: "tooltip", bs_placement: "top" }, title: "Users Dashboard" do %>
+              <i class="bi bi-people-fill" aria-label="Users Dashboard"></i>
+            <% end %>
+            <span class="mx-2 align-middle text-secondary">|</span>
+            <%= link_to departments_path, class: "profile-icon", data: { bs_toggle: "tooltip", bs_placement: "top" }, title: "Departments" do %>
+              <i class="bi bi-building" aria-label="Departments"></i>
+            <% end %>
+          </div>
         <% end %>
       </p>
       <p class="text-center footer-bold d-md-none">

config/application.rb

@@ -20,6 +20,41 @@
 # you've limited to :test, :development, or :production.
 Bundler.require(*Rails.groups)
 
+# Custom middleware to block PHP-related requests
+class Rack::Defense
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    request = Rack::Request.new(env)
+
+    # Block requests with PHP-related content
+    if request.post? && (
+      request.path.include?('.php') ||
+      request.query_string.include?('php') ||
+      request.content_type.to_s.include?('php') ||
+      request.body.read.to_s.include?('php')
+    )
+      return [403, { 'Content-Type' => 'text/plain' }, ['Forbidden']]
+    end
+
+    # Block requests with suspicious headers
+    if request.env['HTTP_USER_AGENT'].to_s.include?('Custom-AsyncHttpClient') ||
+       request.env['HTTP_X_REQUEST_ID'].to_s.include?('cve_2024_4577')
+      return [403, { 'Content-Type' => 'text/plain' }, ['Forbidden']]
+    end
+
+    # Block known malicious IPs
+    suspicious_ips = ['91.99.22.81'] # Add more IPs as needed
+    if suspicious_ips.include?(request.ip)
+      return [403, { 'Content-Type' => 'text/plain' }, ['Forbidden']]
+    end
+
+    @app.call(env)
+  end
+end
+
 module LsaEvaluate
   class Application < Rails::Application # rubocop:disable Style/Documentation
     # Initialize configuration defaults for originally generated Rails version.
@@ -43,5 +78,16 @@ class Application < Rails::Application # rubocop:disable Style/Documentation
     # config.eager_load_paths << Rails.root.join("extras")
     # Don't generate system test files.
     config.generators.system_tests = nil
+
+    # Add security middleware
+    config.middleware.use Rack::Defense
+
+    # Configure rate limiting
+    config.action_dispatch.rate_limiter = {
+      limit: 300,
+      period: 5.minutes,
+      store: :redis,
+      key: ->(request) { request.ip }
+    }
   end
 end

db/seeds.rb

@@ -63,7 +63,11 @@
                           { page: "judging_assignments", section: "round_specific_instructions",
                             content: ActionText::RichText.new(body: "Instructions for the round_specific_instructions") },
                           { page: "judging_rounds", section: "comment_interface_behavior",
-                            content: ActionText::RichText.new(body: "Instructions for the comment_interface_behavior") }
+                            content: ActionText::RichText.new(body: "Instructions for the comment_interface_behavior") },
+                          { page: "applicant_dashboard", section: "inactivesubmission_summary",
+                            content: ActionText::RichText.new(body: "Instructions for the inactivesubmission_summary") },
+                          { page: "containers", section: "form_instructions",
+                            content: ActionText::RichText.new(body: "Instructions for the form_instructions") }
                         ])
 
   # Seed data for School

package.json

@@ -7,7 +7,7 @@
     "@popperjs/core": "^2.11.8",
     "@rails/actiontext": "^7.0.8-3",
     "autoprefixer": "^10.4.17",
-    "bootstrap": "^5.3.2",
+    "bootstrap": "^5.3.3",
     "bootstrap-icons": "^1.11.3",
     "esbuild": "^0.25.0",
     "mac-ca": "^3.1.0",
@@ -16,7 +16,7 @@
     "postcss-cli": "^11.0.0",
     "sass": "^1.70.0",
     "sortablejs": "^1.15.6",
-    "trix": "^2.1.12"
+    "trix": "^2.1.15"
   },
   "scripts": {
     "build": "esbuild app/javascript/*.* --bundle --sourcemap --format=esm --outdir=app/assets/builds --public-path=/assets",