fix: prevent infinite retries on auto-graded assessments

[Vaishnav-Hub9]

This pull request addresses a critical logic loophole in the submitRound endpoint that allowed students to infinitely resubmit answers for auto-graded assessments and overwrite their scores to achieve 100%.

Previously, the student.service.ts used Prisma's upsert method without verifying if the existing roundSubmission was already marked as COMPLETED.

Changes Made:
Fetched the existingSubmission state concurrently within the existing Promise.all block (zero performance penalty).
Added a strict validation check: if (existingSubmission && existingSubmission.status === "COMPLETED") to block multiple submissions.
Safely throws a descriptive Error("You have already submitted this assessment.")to halt the process, fully closing the loophole.

Closes #303

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where completed assessments could be resubmitted. The system now prevents resubmission of rounds marked as completed.

[coderabbitai]

Warning

Rate limit exceeded

@Vaishnav-Hub9 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 46 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 460b7799-9b44-4b1c-b3e8-7085fe719044

📥 Commits

Reviewing files that changed from the base of the PR and between a06d0c8 and c6281dc.

📒 Files selected for processing (1)

• server/src/module/student/student.service.ts

📝 Walkthrough

Walkthrough

The StudentService.submitRound method now fetches the existing round submission concurrently with application and round data. A guard check prevents upsert operations on already-completed submissions, blocking resubmission of auto-graded assessments.

Changes

Submission Resubmission Prevention

Layer / File(s)	Summary
Completion Status Validation server/src/module/student/student.service.ts	submitRound adds parallel fetching of existingSubmission and introduces a guard that throws an error if the submission status is already "COMPLETED", preventing students from resubmitting completed assessments.

Poem

🐰 A loophole sealed with careful care,
No second chances in the air.
Assessments locked when scores are done,
No cheating via resubmit run!

🎯 3 (Moderate) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: preventing infinite retries on auto-graded assessments by blocking resubmission of completed submissions.
Linked Issues check	✅ Passed	The changes implement all coding requirements from issue #303: fetching existingSubmission concurrently, validating completion status, and throwing an error to block resubmission.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the bug in issue #303; no unrelated modifications or scope creep detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/src/module/student/student.service.ts`:
- Around line 252-266: The pre-check using prisma.roundSubmission.findUnique and
the subsequent prisma.roundSubmission.upsert are vulnerable to TOCTOU race
conditions; make the “not already COMPLETED” guard atomic by moving the check
into the write transaction. Replace the separate findUnique + upsert flow with a
transaction that first attempts a conditional update (e.g.,
prisma.roundSubmission.updateMany({ where: { applicationId, roundId, status: {
not: "COMPLETED" } }, data: { ...changes } }) and inspects the count) and if the
update affected 0 rows then either throw if a COMPLETED row exists or create the
submission via create inside the same transaction; reference
prisma.roundSubmission.findUnique, prisma.roundSubmission.updateMany / create,
applicationId_roundId, and the existingSubmission logic to implement this atomic
guarded write.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e534f442-a9d8-47a9-872a-2ac4ca88a136

📥 Commits

Reviewing files that changed from the base of the PR and between 3552efa and a06d0c8.

⛔ Files ignored due to path filters (1)

• client/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• server/src/module/student/student.service.ts

[Vaishnav-Hub9]

Hi @Sachinchaurasiya360 .
I have raised the pr for issue #303 .
Please look into it and review.
Thank you.

Also, could u please add GSSoC labels so that it will help in my contribution points.
Once again, Thank you

[Vaishnav-Hub9]

Hi @Sachinchaurasiya360 .
Could u please look into this pr.
Thank you.