Add server-side validation for hacker required screening questions

- Update validate_hackathon_data to accept and validate hacker_required_questions in constraints
- Add server-side validation of required question answers in create_or_update_volunteer for hacker applications

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gregv

common/utils/validators.py

@@ -101,7 +101,21 @@ def validate_hackathon_data(data):
     if not all(isinstance(constraints.get(k), int) for k in ["max_people_per_team", "max_teams_per_problem", "min_people_per_team"]):
         raise ValueError("Constraints must be integers")
 
-    # Add more specific validations as needed
+    # Validate hacker_required_questions if present
+    hacker_required_questions = constraints.get("hacker_required_questions", {})
+    if hacker_required_questions:
+        questions = hacker_required_questions.get("questions", [])
+        if not isinstance(questions, list):
+            raise ValueError("hacker_required_questions.questions must be a list")
+        for i, q in enumerate(questions):
+            if not isinstance(q, dict):
+                raise ValueError(f"Question {i} must be an object")
+            if not isinstance(q.get("question"), str) or not q.get("question"):
+                raise ValueError(f"Question {i} must have a non-empty 'question' string")
+            if not isinstance(q.get("required_answer"), bool):
+                raise ValueError(f"Question {i} must have a boolean 'required_answer'")
+            if not isinstance(q.get("error"), str) or not q.get("error"):
+                raise ValueError(f"Question {i} must have a non-empty 'error' string")
 
 if __name__ == "__main__":
     # Simple tests

services/volunteers_service.py

@@ -720,7 +720,32 @@ def create_or_update_volunteer(
         if not verify_recaptcha(recaptcha_token):
             warning(logger, "reCAPTCHA verification failed", email=email)
             return {"error": "reCAPTCHA verification failed"}
-    
+
+    # Validate required question answers for hacker applications
+    if volunteer_data.get('volunteer_type') == 'hacker':
+        submitted_answers = volunteer_data.get('requiredQuestionAnswers', [])
+        if submitted_answers:
+            try:
+                db_temp = get_db()
+                hackathon_docs = db_temp.collection('hackathons').where('event_id', '==', event_id).limit(1).stream()
+                hackathon_data = None
+                for doc in hackathon_docs:
+                    hackathon_data = doc.to_dict()
+                    break
+
+                if hackathon_data:
+                    questions = hackathon_data.get('constraints', {}).get('hacker_required_questions', {}).get('questions', [])
+                    if questions:
+                        if len(submitted_answers) != len(questions):
+                            warning(logger, "Required question answer count mismatch", email=email, event_id=event_id)
+                            return {"error": "Required question answers do not match the expected number of questions"}
+                        for i, q in enumerate(questions):
+                            if i >= len(submitted_answers) or submitted_answers[i] != q.get('required_answer'):
+                                warning(logger, "Required question answer incorrect", email=email, event_id=event_id, question_index=i)
+                                return {"error": q.get('error', 'You do not meet the eligibility requirements for this event.')}
+            except Exception as e:
+                exception(logger, "Error validating required questions", exc_info=e, email=email, event_id=event_id)
+
     db = get_db()
     volunteer_type = volunteer_data.get('volunteer_type')