From cc8d491e96fb287220a0d6193b118c5dc32a5cd0 Mon Sep 17 00:00:00 2001
From: EDRipper <euan@hackclub.com>
Date: Fri, 12 Dec 2025 14:24:47 -0500
Subject: [PATCH] fix: freeze fields on design submission to prevent fraudulent
 setting of approval (TY Charmunk!)

---
 backend/api/designs.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/api/designs.rb b/backend/api/designs.rb
index 5cd2e21..785f2b4 100644
--- a/backend/api/designs.rb
+++ b/backend/api/designs.rb
@@ -16,6 +16,8 @@ class DesignsTable < AirctiveRecord::Base
 end
 
 class Designs < Base
+  DESIGN_ALLOWED_FIELDS = %w[Name Description Image_URL].freeze
+
   resource :designs do
     get :all do
       error!('Unauthorized', 401) unless current_user
@@ -53,9 +55,11 @@ class Designs < Base
 
     post do
       error!('Unauthorized', 401) unless current_user
-      fields = params[:fields] || {}
-      fields['slack_id'] = current_user[:slack_id] || current_user[:id]
-      DesignsTable.create(fields)
+      safe_fields = (params[:fields] || {}).slice(*DESIGN_ALLOWED_FIELDS)
+      safe_fields['slack_id'] = current_user[:slack_id] || current_user[:id]
+      safe_fields['Status'] = 'pending'
+      safe_fields['Votes'] = 0
+      DesignsTable.create(safe_fields)
     end
 
     route_param :id do