Bug Summary
In backend/controllers/auth.controller.js, the student signup path validates current_year (checking that it is between 1 and 6) but never includes it in the User.create call. Every student account created through signup will have current_year as undefined in the database, even though the field exists in studentBioSchema and the client submits a value.
Steps to Reproduce
- Send a POST request to the signup endpoint with:
userType: 'student'current_year: 3- Valid values for all other required fields
- The request passes the
current_year validation check (1 <= 3 <= 6)
- Check the created user document in MongoDB
- Observe that
student_bio.current_year is undefined (not stored)
Expected Behavior
The validated current_year value (e.g., 3) should be persisted in student_bio.current_year of the newly created user document. Any feature that reads current_year (such as year-based access controls or academic year calculations) should receive the value the student submitted.
Actual Behavior
The User.create call for student signup builds student_bio as follows:
student_bio: {
gender: req.body.gender || 'male',
enrollment_year: req.body.enrollment_year || new Date().getFullYear(),
course: course_id,
roll_number: req.body.roll_number || null,
avatar: ''
}current_year is absent from this object. Despite passing validation, it is silently discarded. The studentBioSchema defines the field with min: 1, max: 6, so the schema already supports it - it is only the controller that omits it.
Environment
- Backend: Node.js / Express
- File:
backend/controllers/auth.controller.js (student signup branch)
- Model:
backend/models/User.model.js (studentBioSchema.current_year)
Additional Context
The fix is a one-line addition inside User.create:
student_bio: {
gender: req.body.gender || 'male',
enrollment_year: req.body.enrollment_year || new Date().getFullYear(),
current_year: req.body.current_year, // add this line
course: course_id,
roll_number: req.body.roll_number || null,
avatar: ''
}Expected NSOC points: Level 2 (medium complexity - validated input silently dropped at the persistence layer)
Suggested labels: bug, NSOC'26, level2
Checklist:
Bug Summary
In
backend/controllers/auth.controller.js, the student signup path validatescurrent_year(checking that it is between 1 and 6) but never includes it in theUser.createcall. Every student account created through signup will havecurrent_yearasundefinedin the database, even though the field exists instudentBioSchemaand the client submits a value.Steps to Reproduce
userType: 'student'current_year: 3current_yearvalidation check (1 <= 3 <= 6)student_bio.current_yearisundefined(not stored)Expected Behavior
The validated
current_yearvalue (e.g.,3) should be persisted instudent_bio.current_yearof the newly created user document. Any feature that readscurrent_year(such as year-based access controls or academic year calculations) should receive the value the student submitted.Actual Behavior
The
User.createcall for student signup buildsstudent_bioas follows:current_yearis absent from this object. Despite passing validation, it is silently discarded. ThestudentBioSchemadefines the field withmin: 1, max: 6, so the schema already supports it - it is only the controller that omits it.Environment
backend/controllers/auth.controller.js(student signup branch)backend/models/User.model.js(studentBioSchema.current_year)Additional Context
The fix is a one-line addition inside
User.create:Expected NSOC points: Level 2 (medium complexity - validated input silently dropped at the persistence layer)
Suggested labels:
bug,NSOC'26,level2Checklist: