From 600c3c54026c7efe5f757332a74cb8898046fce6 Mon Sep 17 00:00:00 2001
From: dconstancy <denisconstancy@gmail.com>
Date: Wed, 17 Jun 2026 12:28:49 +0200
Subject: [PATCH 1/4] fix: allow organizers to hard-delete soft-deleted
 submissions

Add a delete button visible to organizers on soft-deleted submissions,
and guard against None data in delete/soft_delete methods.
---
 src/apps/competitions/models.py                  | 16 +++++++++-------
 .../competitions/detail/submission_manager.tag   | 11 +++++++++--
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/apps/competitions/models.py b/src/apps/competitions/models.py
index 87b0b5513..6c994a1de 100644
--- a/src/apps/competitions/models.py
+++ b/src/apps/competitions/models.py
@@ -536,9 +536,10 @@ def soft_delete(self):
             detail.delete()  # Remove record from DB
 
         # Clear the data field if no other submissions are using it
-        other_submissions_using_data = Submission.objects.filter(data=self.data).exclude(pk=self.pk).exists()
-        if not other_submissions_using_data:
-            self.data.delete()
+        if self.data:
+            other_submissions_using_data = Submission.objects.filter(data=self.data).exclude(pk=self.pk).exists()
+            if not other_submissions_using_data:
+                self.data.delete()
 
         # Clear the data field for this submission
         self.data = None
@@ -554,11 +555,12 @@ def soft_delete(self):
     def delete(self, **kwargs):
 
         # Check if any other submissions are using the same data
-        other_submissions_using_data = Submission.objects.filter(data=self.data).exclude(pk=self.pk).exists()
+        if self.data:
+            other_submissions_using_data = Submission.objects.filter(data=self.data).exclude(pk=self.pk).exists()
 
-        if not other_submissions_using_data:
-            # If no other submissions are using the same data, delete it
-            self.data.delete()
+            if not other_submissions_using_data:
+                # If no other submissions are using the same data, delete it
+                self.data.delete()
 
         # Also clean up details on delete
         self.details.all().delete()
diff --git a/src/static/riot/competitions/detail/submission_manager.tag b/src/static/riot/competitions/detail/submission_manager.tag
index 441a6cf52..3f41a69eb 100644
--- a/src/static/riot/competitions/detail/submission_manager.tag
+++ b/src/static/riot/competitions/detail/submission_manager.tag
@@ -123,8 +123,15 @@
                     </a>
                 </td>
                 <!--  Show Action buttons when submission is not soft deleted  -->
-                <!--  Otherwise show empty <td>  -->
-                <td if="{ submission.is_soft_deleted }"></td>
+                <!--  For soft-deleted submissions, organizers can still hard-delete  -->
+                <td if="{ submission.is_soft_deleted }">
+                    <virtual if="{ opts.admin }">
+                        <span data-tooltip="Delete Submission" data-inverted=""
+                            onclick="{ delete_submission.bind(this, submission) }">
+                            <i class="icon red trash alternate"></i>
+                        </span>
+                    </virtual>
+                </td>
                 <td class="center aligned" if="{ !submission.is_soft_deleted }">
                     <virtual if="{ opts.admin}">
                         <!-- run/rerun submission -->

From a735bd940104996a04c25862bf4e2af2ebde2745 Mon Sep 17 00:00:00 2001
From: pyxelr <pyxelr@gmail.com>
Date: Tue, 23 Jun 2026 12:12:14 +0200
Subject: [PATCH 2/4] Remove duplicate CommonMiddleware from MIDDLEWARE

django.middleware.common.CommonMiddleware was listed twice in the MIDDLEWARE tuple.

Symptoms when the chain runs twice:

* For users whose django_session.session_data row cannot be verified by
  signing.loads (e.g. after a SECRET_KEY rotation), the second pass of
  CommonMiddleware.process_response runs against responses for which the
  session/messages state ends up half-initialised, surfacing as a generic
  500 page with no traceback on every 404 path, every APPEND_SLASH 301,
  and assets like /favicon.ico. With-slash URLs that match a real view
  return 200 because the corruption is silently swallowed (decode -> {}).
* Content-Length is computed twice on every response.

Removing the duplicate restores the standard middleware behaviour: a
corrupted session decodes to {} once, the user is treated as anonymous,
and 404/redirect responses are returned normally.
---
 src/settings/base.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/settings/base.py b/src/settings/base.py
index 47c76ad6b..b4e57ae45 100644
--- a/src/settings/base.py
+++ b/src/settings/base.py
@@ -92,7 +92,6 @@
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     # 'corsheaders.middleware.CorsMiddleware', # BB
-    'django.middleware.common.CommonMiddleware',
     'middleware.BlockBannedUsersMiddleware'
 )
 

From ff898726a6a5e3947c83e553c4697d3e3c5d405f Mon Sep 17 00:00:00 2001
From: Wallun <wallun@disroot.org>
Date: Tue, 23 Jun 2026 15:43:34 +0200
Subject: [PATCH 3/4] refactor(login): sanitize failed login error message

prevents leaking the fact a user exists when entered password is invalid

Closes #2437
---
 src/apps/profiles/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/apps/profiles/views.py b/src/apps/profiles/views.py
index 81c8dc1de..161fd5ffe 100644
--- a/src/apps/profiles/views.py
+++ b/src/apps/profiles/views.py
@@ -290,7 +290,7 @@ def log_in(request):
             try:
                 user = User.objects.get((Q(username=username) | Q(email=username)) & Q(is_deleted=False))
             except User.DoesNotExist:
-                messages.error(request, "User does not exist!")
+                messages.error(request, "Invalid login/password")
             else:
                 # Authenticate user with credentials
                 user = authenticate(username=username, password=password)
@@ -307,7 +307,7 @@ def log_in(request):
                     else:
                         context['activation_error'] = "Your account is not activated. Please check your email for the activation link"
                 else:
-                    messages.error(request, "Wrong Credentials!")
+                    messages.error(request, "Invalid login/password")
         else:
             context['form'] = form
 

From 65f7f09c59049546afc6eef9b968c1c44fa49839 Mon Sep 17 00:00:00 2001
From: Obada Haddad <obada.haddad@lisn.fr>
Date: Wed, 24 Jun 2026 14:21:56 +0200
Subject: [PATCH 4/4] quick documentation fix

---
 documentation/zensical.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/zensical.toml b/documentation/zensical.toml
index e5f38ff24..1e9c42188 100644
--- a/documentation/zensical.toml
+++ b/documentation/zensical.toml
@@ -39,6 +39,7 @@ nav = [
         ]}
     ]},
     {"Developers" = [
+        {"Codabench Basic Installation Guide" = "Developers_and_Administrators/Codabench-Installation.md"},
         {"Codabench Docker Architecture" = "Developers_and_Administrators/Codabench-Architecture.md"},
         {"Submission Docker Container Layout" = "Developers_and_Administrators/Submission-Docker-Container-Layout.md"},
         {"Submission Process Overview" = "Developers_and_Administrators/Submission-Process-Overview.md"},
@@ -49,7 +50,6 @@ nav = [
 
     ]},
     {"Self-Hosters" = [
-        {"Codabench Basic Installation Guide" = "Developers_and_Administrators/Codabench-Installation.md"},
         {"How to Deploy a Server" = "Developers_and_Administrators/How-to-deploy-Codabench-on-your-server.md"},
         {"Administrative Procedures" = "Developers_and_Administrators/Administrator-procedures.md"},
         {"Backups - Automating Creation and Restoring" = "Developers_and_Administrators/Creating-and-Restoring-from-Backup.md"},