JavaScript-Mastery-Pro · Programmer-Develops · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
diff --git a/app/api/assignments/[id]/route.ts b/app/api/assignments/[id]/route.ts
@@ -36,7 +36,7 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
     }
 
     const assignment = await Assignment.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       sanitizedBody,
       { new: true }
     )
@@ -63,7 +63,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Assignment.findOneAndDelete({ _id: id })
+    const deleted = await Assignment.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 })

diff --git a/app/api/assignments/route.ts b/app/api/assignments/route.ts
@@ -52,7 +52,7 @@ export async function GET(req: NextRequest) {
     if (error instanceof Error) {
       console.error('GET /api/assignments error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
 

diff --git a/app/api/grades/[id]/route.ts b/app/api/grades/[id]/route.ts
@@ -15,7 +15,7 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Not found' }, { status: 404 })
+      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
     }
 
     let body
@@ -35,7 +35,7 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
 
     await connectDB()
     const grade = await Grade.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       sanitizedBody,
       { new: true }
     )
@@ -56,7 +56,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
   try {
     const { id } = await ctx.params
     await connectDB()
-    const deleted = await Grade.findOneAndDelete({ _id: id })
+    const deleted = await Grade.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Grade not found' }, { status: 404 })

diff --git a/app/api/grades/route.ts b/app/api/grades/route.ts
@@ -70,10 +70,10 @@ export async function POST(req: NextRequest) {
     if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
 
     const data = parsed.data
-    const max = data.maxMarks!
+    const max = data.maxMarks ?? 100
     const term = data.term ?? 'Term 1'
 
-    const grade = Grade.findOneAndUpdate(
+    const grade = await Grade.findOneAndUpdate(
       { teacherId: userId, studentId: data.studentId, subject: data.subject, term },
       { $set: { ...data, term, teacherId: userId, grade: calcGrade(data.marks, max) } },
       { upsert: true, new: true }
@@ -83,6 +83,7 @@ export async function POST(req: NextRequest) {
     if (error instanceof Error) {
       console.error('POST /api/grades error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+
   }
 }
diff --git a/app/api/profile/route.ts b/app/api/profile/route.ts
@@ -3,15 +3,8 @@ import { NextRequest, NextResponse } from 'next/server'
 import { connectDB } from '@/lib/mongodb'
 import { Teacher } from '@/models/Teacher'
 
-export async function GET(req: NextRequest) {
-  const { searchParams } = new URL(req.url)
-  const queryUserId = searchParams.get('userId')
-
-  let userId: string | null = queryUserId
-  if (!userId) {
-    const session = await auth()
-    userId = session.userId
-  }
+export async function GET() {
+  const { userId } = await auth()
   if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
 
   try {

diff --git a/app/api/students/[id]/route.ts b/app/api/students/[id]/route.ts
@@ -35,7 +35,7 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
 
     await connectDB()
     const student = await Student.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       sanitizedBody,
       { new: true }
     )
@@ -65,7 +65,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Student.findOneAndDelete({ _id: id })
+    const deleted = await Student.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Student not found' }, { status: 404 })

diff --git a/app/api/students/route.ts b/app/api/students/route.ts
@@ -92,9 +92,10 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: 'Malformed JSON' }, { status: 400 })
     }
 
-    StudentSchema.safeParse(body)
+    const parsed = StudentSchema.safeParse(body)
+    if (!parsed.success) return NextResponse.json({ error: z.treeifyError(parsed.error) }, { status: 400 })
 
-    const student = await Student.create({ ...(body as Record<string, unknown>), teacherId: userId })
+    const student = await Student.create({ ...parsed.data, teacherId: userId })
     return NextResponse.json(student, { status: 201 })
   } catch (error) {
     if (error instanceof Error) {