Fix/no review user email in frontend

[PrinceBashangezi]

Context

- JIRA ASPC 83

• Review GET endpoints were returning user_email / populated author.email in responses, allowing any
  authenticated user to see other reviewers' email addresses via browser DevTools
  • Ownership is now determined server-side; the API returns an isOwner: boolean flag instead
  • Anonymous forum reviews no longer expose the author's name in the response at all

Describe your changes

Backend

• CoursesRoutes.ts, InstructorsRoutes.ts: Course review GET endpoints now use .lean(), strip user_email from
  each document, and replace it with isOwner computed from req.session.user.email
• HousingRoutes.ts: Same treatment on both housing review GET endpoints (/:room/reviews and
  /:buildingId/:roomNumber/reviews)
• ForumRoutes.ts: Event review GET endpoint drops email from .populate('author', ...), resolves the current
  user's MongoDB _id from the session, adds isOwner per review, and sets author: null for anonymous reviews so
  the author's name cannot be recovered from the network response
• authMiddleware.ts: Fixes a pre-existing bug in isEventReviewOwner where review.author.toString() !== user._id
  was always true because user._id was never stringified — edit/delete of event reviews was broken for all users

Frontend

• types.ts: Review.user_email → isOwner: boolean, CourseReview.user_email? → isOwner?, EventReview gains
  isOwner: boolean; adds EventReviewAuthor interface (no email field)
• courses/[id]/page.tsx, housing/[id]/[room]/page.tsx, instructors/[id]/page.tsx: Replace user.email ===
  review.user_email comparisons with review.isOwner
• open-forum/[id]/page.tsx: Replace getAuthorId + _id comparison with rating.isOwner; getAuthorDisplay no
  longer accepts or uses email
• dashboard/events/[id]/page.tsx: hasUserReviewed now set via reviews.some(r => r.isOwner) instead of matching
  author.email to user.email

Security model

Ownership checks for PATCH/DELETE (in isCourseReviewOwner, isHousingReviewOwner, isEventReviewOwner) are
unchanged — they compare session data against the database and were never client-influenced. The isOwner flag
in GET responses is for UI only; the backend enforces actual authorization independently.

Testing

No automated tests exist for these routes yet. Manual test plan:

As review owner

• Course review: Edit and Delete buttons appear on your own review; network response contains isOwner: true and
  no user_email field
• Housing review: same as above
• Instructor page: Edit and Delete buttons appear on your own course review
• Event review (open-forum): Edit and Delete buttons appear; event review edit/delete requests succeed (this
  was broken before due to the ObjectId comparison bug)
• Event review (dashboard): "Add new rating" button is hidden after you've submitted a review

As a different user

• Course/housing/instructor reviews: Edit and Delete buttons are hidden; network response contains isOwner:
  false and no user_email field
• Event review edit/delete requests return 403

Anonymous event reviews

• Anonymous review shows "Anonymous Review" in the UI with no author name
• Network response for an anonymous review has author: null — no name recoverable via DevTools
• If you submitted the anonymous review, your own review still shows the "(Your review)" badge and Edit/Delete
  buttons

DevTools check (core regression test)

• Open Network tab, load any reviews page, inspect the JSON response — confirm no user_email, no email field
  anywhere in the review objects

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pomonastudents	Ready	Preview, Comment	Apr 15, 2026 9:45am

[cjuyematsu]

I think just the isAuthenticated guard is needed, looks good other than that