From ea08fab87314969ea97bca4eb7c82cd6f7fc1377 Mon Sep 17 00:00:00 2001
From: NickK21 <dodfannk@gmail.com>
Date: Fri, 6 Feb 2026 21:32:13 -0800
Subject: [PATCH] Scope student course completion queries to authenticated user

---
 codewit/api/src/controllers/course.ts | 24 +++++++++++++++++++-----
 codewit/api/src/routes/course.ts      |  6 +++---
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/codewit/api/src/controllers/course.ts b/codewit/api/src/controllers/course.ts
index 6d5b4a5..1f536ce 100644
--- a/codewit/api/src/controllers/course.ts
+++ b/codewit/api/src/controllers/course.ts
@@ -283,7 +283,11 @@ async function getStudentCoursesByUid(userUid: number): Promise<CourseResponse[]
   return formatCourseResponse(courses, true);
 }
 
-export async function getStudentCourse(course_id: string, transaction?: Transaction): Promise<StudentCourse | null> {
+export async function getStudentCourse(
+  course_id: string,
+  userUid: number,
+  transaction?: Transaction
+): Promise<StudentCourse | null> {
   const course = await Course.findOne({
     where: { id: course_id },
     include: [
@@ -295,9 +299,19 @@ export async function getStudentCourse(course_id: string, transaction?: Transact
           Resource,
           {
             association: "demos",
-            include: [ UserDemoCompletion ],
+            include: [
+              {
+                model: UserDemoCompletion,
+                where: { userUid },
+                required: false,
+              },
+            ],
+          },
+          {
+            model: UserModuleCompletion,
+            where: { userUid },
+            required: false,
           },
-          UserModuleCompletion,
         ],
         through: { attributes: ['ordering'] },
       },
@@ -323,7 +337,7 @@ export async function getStudentCourse(course_id: string, transaction?: Transact
 
       let completion = 0.0;
 
-      if (module_demo["UserDemoCompletions"]?.length ?? 0 != 0) {
+      if ((module_demo["UserDemoCompletions"]?.length ?? 0) !== 0) {
         completion = module_demo["UserDemoCompletions"][0].completion;
       }
 
@@ -348,7 +362,7 @@ export async function getStudentCourse(course_id: string, transaction?: Transact
 
     let completion = 0.0;
 
-    if (course_module["UserModuleCompletions"]?.length ?? 0 != 0) {
+    if ((course_module["UserModuleCompletions"]?.length ?? 0) !== 0) {
       completion = course_module["UserModuleCompletions"][0].completion;
     }
 
diff --git a/codewit/api/src/routes/course.ts b/codewit/api/src/routes/course.ts
index 206ec67..6e17d19 100644
--- a/codewit/api/src/routes/course.ts
+++ b/codewit/api/src/routes/course.ts
@@ -252,7 +252,7 @@ courseRouter.get('/:uid', asyncHandle(async (req, res) => {
   let student_view = "student_view" in req.query && req.query["student_view"] === "1";
 
   if (student_and_instructor && student_view) {
-    let course = await getStudentCourse(req.params.uid);
+    let course = await getStudentCourse(req.params.uid, req.user.uid);
 
     if (course == null) {
       throw new Error("the course was not found when it was found?");
@@ -285,7 +285,7 @@ courseRouter.get('/:uid', asyncHandle(async (req, res) => {
       ...result,
     });
   } else if (found.is_student) {
-    let course = await getStudentCourse(req.params.uid);
+    let course = await getStudentCourse(req.params.uid, req.user.uid);
 
     if (course == null) {
       throw new Error("the course was not found when it was found?");
@@ -528,7 +528,7 @@ courseRouter.post("/:uid/register", asyncHandle(async (req, res) => {
           }
         );
 
-        let course = await getStudentCourse(req.params.uid, transaction);
+        let course = await getStudentCourse(req.params.uid, req.user.uid, transaction);
 
         if (course == null) {
           throw new Error("the course was not found when it was found?");