UI Enhancement for Landing Page and Authentication Pages#293
UI Enhancement for Landing Page and Authentication Pages#293SadhanaShree25 wants to merge 2 commits intoEswaramuthu:mainfrom
Conversation
|
@SadhanaShree25 is attempting to deploy a commit to the 007's projects Team on Vercel. A member of the Team first needs to authorize it. |
Thanks for creating a PR for your Issue!
|
![entelligence-ai-pr-reviews[bot]](https://avatars.githubusercontent.com/in/932812?s=60&v=4){kind=small}
| <li><a href="{{ url_for('teacher-dashboard') }}">Dashboard</a></li> | ||
| {% else %} | ||
| <li><a href="{{ url_for('student') }}">Student Login</a></li> | ||
| <li><a href="{{ url_for('teacher') }}">Teacher Login</a></li> |
There was a problem hiding this comment.
Correctness: Flask's url_for() does not accept hyphens in endpoint names — url_for('student-dashboard') and url_for('teacher-dashboard') will raise a BuildError at runtime. Flask route endpoint names default to the function name (which uses underscores), so these should be url_for('student_dashboard') and url_for('teacher_dashboard') unless the endpoints were explicitly registered with hyphenated names.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In templates/base.html at lines 37 and 39, the url_for calls use hyphenated endpoint names ('student-dashboard' and 'teacher-dashboard') which are invalid in Flask and will raise a BuildError at runtime. Replace 'student-dashboard' with 'student_dashboard' and 'teacher-dashboard' with 'teacher_dashboard' to match Flask's underscore-based endpoint naming convention.
| phone_number TEXT, | ||
| password TEXT NOT NULL, | ||
| teacher_gender TEXT, | ||
| teacher_dept TEXT | ||
| teacher_dept TEXT, | ||
| is_approved BOOLEAN DEFAULT 1, | ||
| created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP | ||
| ) | ||
| """) | ||
| """) | ||
|
|
||
| cursor.execute(""" | ||
| # Admin table | ||
| cursor.execute(""" | ||
| CREATE TABLE IF NOT EXISTS admin ( | ||
| admin_name TEXT NOT NULL, | ||
| admin_id TEXT PRIMARY KEY, | ||
| email TEXT UNIQUE NOT NULL, | ||
| password TEXT NOT NULL, | ||
| is_superuser BOOLEAN DEFAULT 0, | ||
| created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP | ||
| ) | ||
| """) | ||
|
|
||
| # Departments table for admin management | ||
| cursor.execute(""" | ||
| CREATE TABLE IF NOT EXISTS departments ( | ||
| id INTEGER PRIMARY KEY AUTOINCREMENT, | ||
| dept_code TEXT UNIQUE NOT NULL, | ||
| dept_name TEXT NOT NULL, | ||
| created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP | ||
| ) | ||
| """) | ||
|
|
||
| # Achievement categories table | ||
| cursor.execute(""" | ||
| CREATE TABLE IF NOT EXISTS achievement_categories ( | ||
| id INTEGER PRIMARY KEY AUTOINCREMENT, | ||
| category_code TEXT UNIQUE NOT NULL, | ||
| category_name TEXT NOT NULL, | ||
| description TEXT, | ||
| created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP | ||
| ) | ||
| """) | ||
|
|
||
| # Achievements table | ||
| cursor.execute(""" | ||
| CREATE TABLE IF NOT EXISTS achievements ( | ||
| id INTEGER PRIMARY KEY AUTOINCREMENT, | ||
| teacher_id TEXT NOT NULL, |
There was a problem hiding this comment.
Correctness: The init_db() function inserts a default super admin with hardcoded credentials (admin@system.com / admin123). If this password is never rotated, it becomes a permanent backdoor into the system with full superuser privileges.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In app.py, the init_db() function inserts a default superadmin with the hardcoded password 'admin123'. This is a security risk. Fix by: 1) Reading the default admin password from an environment variable (e.g., os.environ.get('ADMIN_DEFAULT_PASSWORD')), 2) Failing loudly (raise or log a warning) if the env var is not set in production, 3) Documenting that this password MUST be changed after first login. The relevant insert is in the section '# Insert default super admin if not exists'.
| @app.route("/admin/categories") | ||
| @admin_required | ||
| def admin_categories(): | ||
| """Manage achievement categories""" | ||
| connection = sqlite3.connect(DB_PATH) | ||
| connection.row_factory = sqlite3.Row | ||
| cursor = connection.cursor() | ||
|
|
||
| cursor.execute("SELECT * FROM achievement_categories ORDER BY category_name") | ||
| categories = cursor.fetchall() | ||
|
|
||
| # Get category usage statistics | ||
| cursor.execute(""" | ||
| SELECT c.category_code, c.category_name, | ||
| COUNT(a.id) as achievement_count | ||
| FROM achievement_categories c | ||
| LEFT JOIN achievements a ON c.category_code = a.achievement_type | ||
| GROUP BY c.category_code, c.category_name | ||
| ORDER BY c.category_name | ||
| """) | ||
| category_stats = cursor.fetchall() | ||
|
|
||
| connection.close() | ||
|
|
||
| return render_template( | ||
| "admin_categories.html", | ||
| categories=categories, | ||
| category_stats=category_stats, | ||
| admin_name=session.get("admin_name"), | ||
| is_superuser=session.get("is_superuser", False) | ||
| ) |
There was a problem hiding this comment.
Correctness: The diff adds a duplicate admin_categories() route and function that already exists later in the file (around line 1134 per the conflict detection). Flask will raise an AssertionError: View function mapping is overwriting an existing endpoint function at startup, crashing the application.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In app.py, the diff introduces a duplicate definition of the route `/admin/categories` and the function `admin_categories()`. The same route and function already exist in the file. Remove the duplicate block added by the diff (lines 1132–1162) since the original definition already exists further in the file. Flask will fail to start with an AssertionError if two view functions share the same endpoint name.
| // Firebase configuration (Injected from backend if available) | ||
| const firebaseConfig = window.FIREBASE_CONFIG || { | ||
| apiKey: "AIzaSyAxhL77J1VfZJd3rqRyR-AtlPYSnZoXnn4", | ||
| authDomain: "task-mate-90eee.firebaseapp.com", |
There was a problem hiding this comment.
Correctness: 🔐 The fallback hardcoded Firebase config (API key, app ID, etc.) is committed to source control — anyone with repo access can extract these credentials. The comment claims config is "injected securely from backend" but the hardcoded fallback completely undermines that guarantee.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In static/js/firebase-init.js, lines 23-26 (and continuing), the diff introduces a hardcoded Firebase config as a fallback when window.FIREBASE_CONFIG is not available. This exposes real credentials (apiKey, appId, etc.) in source control. Remove the hardcoded fallback entirely and throw an error if window.FIREBASE_CONFIG is not set, so the app fails loudly rather than silently using exposed credentials.
| <button type="button" class="btn-close" data-bs-dismiss="alert"></button> | ||
| </div> | ||
| {% endfor %} | ||
| {% endif %} | ||
| {% endwith %} | ||
|
|
||
| <form method="POST" action="{{ url_for('admin_login') }}"> | ||
| <div class="mb-3"> | ||
| <label for="admin_id" class="form-label">Admin ID</label> | ||
| <input type="text" class="form-control" id="admin_id" name="admin_id" required> |
There was a problem hiding this comment.
Correctness: The login form has no CSRF token, making it vulnerable to cross-site request forgery attacks where an attacker could trick an admin into submitting forged credentials. Add {{ csrf_token() }} or Flask-WTF's {{ form.hidden_tag() }} inside the form.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In templates/admin_login.html at line 88, the POST form submitting to admin_login has no CSRF protection. Add a hidden CSRF token field inside the form tag (e.g., `<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">`) and ensure the Flask backend validates it on every POST request to prevent CSRF attacks on the admin login endpoint.
| from utils.certificate_parser import parse_certificate_text | ||
|
|
||
|
|
||
| def generate_file_hash(file_path): |
There was a problem hiding this comment.
Duplicate Code:
This function generate_file_hash duplicates existing code.
📍 Original Location:
services/certificate_service.py:6-14
Function: generate_file_hash
💡 Recommendation:
Remove services/certificate_service.py from the PR entirely, as it introduces no changes. If the intent was to modify this file, the actual change needs to be included.
Consider importing and reusing the existing function instead of duplicating the logic.
| return sha256.hexdigest() | ||
|
|
||
|
|
||
| def process_certificate(file_path): |
There was a problem hiding this comment.
Duplicate Code:
This function process_certificate duplicates existing code.
📍 Original Location:
services/certificate_service.py:17-32
Function: process_certificate
💡 Recommendation:
Remove services/certificate_service.py from this PR. It is not a new file and contains no modifications relative to the existing codebase.
Consider importing and reusing the existing function instead of duplicating the logic.
| * Firebase config is injected securely from backend via window.FIREBASE_CONFIG. | ||
| * | ||
| * Feature Update (#258): | ||
| * Added refreshUserSession() for token management. |
There was a problem hiding this comment.
Duplicate Code:
This function refreshUserSession duplicates existing code.
📍 Original Location:
static/js/firebase-init.js:99-116
Function: refreshUserSession
💡 Recommendation:
Remove static/js/firebase-init.js from the PR if no actual change is being made. If a specific feature is being added, isolate only the new or modified code and do not re-submit unchanged functions.
Consider importing and reusing the existing function instead of duplicating the logic.
| if (!toggleButton) return; | ||
|
|
||
| const savedTheme = localStorage.getItem("theme") || "dark"; | ||
| const getPreferredTheme = () => { |
There was a problem hiding this comment.
Duplicate Code:
This function getPreferredTheme duplicates existing code.
📍 Original Location:
static/script.js:15-21
Function: getPreferredTheme
💡 Recommendation:
Remove static/script.js from the PR unless actual changes are being made. The PR diff appears to re-submit the entire file without modification.
Consider importing and reusing the existing function instead of duplicating the logic.
| document.body.classList.remove("light-mode"); | ||
| toggleButton.textContent = "🌙"; | ||
| } | ||
| const applyTheme = (theme) => { |
There was a problem hiding this comment.
Duplicate Code:
This function applyTheme duplicates existing code.
📍 Original Location:
static/script.js:23-28
Function: applyTheme
💡 Recommendation:
Same as getPreferredTheme — remove static/script.js from the PR if no real changes are being introduced.
Consider importing and reusing the existing function instead of duplicating the logic.
1 participant
UI Enhancement for Landing Page and Authentication Pages
Description
This PR introduces UI improvements and new pages for the Achievement Management System.
The update focuses on enhancing the user experience by improving the landing page design and adding dedicated authentication pages for students and teachers.
Changes Implemented
Landing Page
Student Login Page
Teacher Login Page
Why This Change?
These updates improve the overall user experience by:
Checklist