Learn_System/backend/src/routes/submissions.js

const router = require('express').Router();
const multer = require('multer');
const path   = require('path');
const { authMiddleware, requireRole } = require('../middleware/auth');
const ctrl   = require('../controllers/submissionsController');
const { fixUtf8Name } = require('../utils/fixUtf8');

/* ── multer — same dir/types as library uploads ─────────────────────── */
const UPLOADS_DIR = path.join(__dirname, '../../uploads');
const ALLOWED = [
  'application/pdf', 'image/png', 'image/jpeg', 'image/gif', 'image/webp',
  'application/msword',
  'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
  'application/vnd.ms-powerpoint',
  'application/vnd.openxmlformats-officedocument.presentationml.presentation',
  'application/vnd.ms-excel',
  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
  'text/plain',
];
const SAFE_EXTS = new Set(['.pdf','.png','.jpg','.jpeg','.gif','.webp','.doc','.docx','.ppt','.pptx','.xls','.xlsx','.txt']);
const storage = multer.diskStorage({
  destination: UPLOADS_DIR,
  filename: (_req, file, cb) => {
    const ext  = path.extname(file.originalname);
    const name = require('crypto').randomBytes(16).toString('hex') + ext;
    cb(null, name);
  },
});
const upload = multer({
  storage,
  limits: { fileSize: 50 * 1024 * 1024 },
  fileFilter: (_req, file, cb) => {
    if (!ALLOWED.includes(file.mimetype)) return cb(null, false);
    // Reject double extensions (.php.jpg, .exe.pdf, etc.)
    const name = file.originalname;
    const parts = name.split('.');
    if (parts.length > 2) {
      const inner = '.' + parts[parts.length - 2].toLowerCase();
      if (['.php','.exe','.sh','.bat','.cmd','.ps1','.js','.html','.htm'].includes(inner)) return cb(null, false);
    }
    const ext = path.extname(name).toLowerCase();
    if (ext && !SAFE_EXTS.has(ext)) return cb(null, false);
    cb(null, true);
  },
});

/* ── routes ─────────────────────────────────────────────────────────── */
router.use(authMiddleware);

router.post('/',              requireRole('student', 'free_student'), upload.single('file'), fixUtf8Name, ctrl.submit);
router.get('/my',             requireRole('student', 'free_student'), ctrl.getMySubmissions);
router.get('/log',            requireRole('admin'), ctrl.getSubmissionLog);
router.delete('/log',         requireRole('admin'), ctrl.clearSubmissionLog);
router.get('/',               requireRole('teacher', 'admin'), ctrl.getClassSubmissions);
router.patch('/:id',          requireRole('teacher', 'admin'), ctrl.reviewSubmission);
router.get('/:id/download',   ctrl.downloadSubmission);
router.delete('/:id',         ctrl.deleteSubmission);
router.post('/:id/resubmit', requireRole('student', 'free_student'), upload.single('file'), fixUtf8Name, ctrl.resubmit);

module.exports = router;