From 67c03dab8c2e383c68e80780b25b49171b863dcb Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 15 Apr 2026 08:00:09 +0200 Subject: [PATCH] feat(search): wire sort to DocumentList; validate sort param allowlist Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/routes/+page.server.ts | 9 +++++++-- frontend/src/routes/+page.svelte | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts index e68afe0f..def3534f 100644 --- a/frontend/src/routes/+page.server.ts +++ b/frontend/src/routes/+page.server.ts @@ -13,7 +13,12 @@ export async function load({ url, fetch }) { const senderId = url.searchParams.get('senderId') || ''; const receiverId = url.searchParams.get('receiverId') || ''; const tags = url.searchParams.getAll('tag'); - const sort = url.searchParams.get('sort') || 'DATE'; + const VALID_SORTS = ['DATE', 'TITLE', 'SENDER', 'RECEIVER', 'UPLOAD_DATE'] as const; + type ValidSort = (typeof VALID_SORTS)[number]; + const rawSort = url.searchParams.get('sort') ?? 'DATE'; + const sort: ValidSort = (VALID_SORTS as readonly string[]).includes(rawSort) + ? (rawSort as ValidSort) + : 'DATE'; const dir = url.searchParams.get('dir') || 'desc'; const tagQ = url.searchParams.get('tagQ') || ''; @@ -35,7 +40,7 @@ export async function load({ url, fetch }) { receiverId: receiverId || undefined, tag: tags.length ? tags : undefined, tagQ: tagQ || undefined, - sort: sort as 'DATE' | 'TITLE' | 'SENDER' | 'RECEIVER' | 'UPLOAD_DATE', + sort, dir: dir || undefined } } diff --git a/frontend/src/routes/+page.svelte b/frontend/src/routes/+page.svelte index 5d863fbb..ff5c7ebd 100644 --- a/frontend/src/routes/+page.svelte +++ b/frontend/src/routes/+page.svelte @@ -139,6 +139,7 @@ const showRightColumn = $derived(data.canWrite || (data.incompleteDocs?.length ? error={data.error} total={data.total ?? 0} q={q} + sort={sort} /> {/if}