* Declare ext-intl and ext-zip as explicit composer requirements
DataExportService uses ZipArchive directly and the Dutch-locale
format_datetime Twig filter needs real ext-intl (the polyfill only
supports en), but composer.json only declared ext-ctype/ext-iconv.
Adding them lets `composer check-platform-reqs` catch a missing
extension before a runtime crash.
* Add authorization checks to PrepareEliminationController
index and viewElimination had no IsGranted guard, unlike every other
backoffice/elimination controller, so any authenticated user could
prepare or overwrite another season's elimination screens.
* Prevent formula injection in spreadsheet exports
Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.
* Add rate limiting to login and season-code entry points
Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.
* Add unique constraint to prevent double-submit score inflation
A candidate could submit two concurrent POSTs for the same question
before either committed, since GivenAnswer had no unique constraint
and the "next question" check was subject to a TOCTOU race — each
insert was then counted as a correct answer.
* Address CodeRabbit review findings
Include a Retry-After header on the season-code rate limit, correct
stale line references in the security audit doc, and fix a stray
comma in the reset-password email.
* test: expand coverage, dedupe data-driven tests, extract shared WebTestCase base
- Add #[CoversClass] to Base64Test and FilenameSanitizerTest
- Merge near-duplicate test methods into #[DataProvider] cases across
ResetPasswordControllerTest, SettingsControllerTest, ClaimSeasonCommandTest,
FilenameSanitizerTest, Base64Test, and SeasonRepositoryTest
- Add integration tests for previously untested controllers: public
QuizController (quiz-taking flow), LoginController, RegistrationController,
EliminationController, and PrepareEliminationController
- Add unit tests for Elimination and BankQuestion entity logic
- Extract shared WebTestCase setup/helpers (client, entityManager, login,
entity lookups, CSRF token scraping) into AbstractControllerWebTestCase,
removing duplicated boilerplate from all 14 WebTestCase files
* test: address PR review feedback
- Scope AbstractControllerWebTestCase::getCandidate/getQuizByName by
season code (both Candidate and Quiz are only unique per season, not
system-wide) and add a CandidateRepository regression test guarding
against same-named candidates in different seasons
- Add missing entityManager->clear() before verifying DB state after a
POST in PrepareEliminationControllerTest and QuestionBankControllerTest
- Add non-owner denial tests for BackofficeController::exportQuiz and
QuizQuestionController::edit/reorder, which had IsGranted checks with
no test coverage
* ci: publish PHPUnit coverage to GitHub code coverage
- Generate a Cobertura report alongside the existing JUnit report and
upload it with actions/upload-code-coverage so coverage shows up on
PRs and the default branch via GitHub's code coverage feature
- Add a step to copy both reports out of the php container before
publishing them, since var/ is a Docker volume (see the Dockerfile's
VOLUME /app/var/) and isn't bind-mounted to the runner — this also
fixes the existing JUnit report publishing step, which was silently
looking at a path that never had contets on the runner
* ci: fix coverage report paths and tolerate Code Quality not yet enabled
- Write PHPUnit's JUnit and Cobertura reports to reports/ instead of
var/, since var/ is a Docker volume (Dockerfile's VOLUME /app/var/)
that isn't bind-mounted to the runner - reports written there never
reached the host, which is also why the prior junit.xml publish step
had nothing to read. reports/ is a plain path under the project's
bind mount, so no extra copy-out step is needed
- Set fail-on-error: false on the coverage upload step: it 404s until
"Code Quality" is turned on for the repo under Settings > Code
security > Code quality, a one-time manual step