marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(notifications): guard against null notificationId in dismiss action

Browse Source 
Casting null to string caused PATCH to fire against /api/notifications/null/read
when the field was absent. Added an early-return fail(400) and a test that
submitting an empty form returns 400 without calling the API.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-19 23:48:37 +02:00
parent 23439e581a
commit af84ffc379
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
frontend/src/routes/aktivitaeten/+page.server.ts
View File

@@ -71,7 +71,8 @@ export async function load({ fetch, url }) {
export const actions = { export const actions = {
'dismiss-notification': async ({ request, fetch }) => { 'dismiss-notification': async ({ request, fetch }) => {
const data = await request.formData(); const data = await request.formData();
const notificationId = data.get('notificationId') as string; const notificationId = data.get('notificationId') as string | null;
if (!notificationId) return fail(400, { error: 'Ungültige Benachrichtigungs-ID' });
const api = createApiClient(fetch); const api = createApiClient(fetch);
const result = await api.PATCH('/api/notifications/{id}/read', { const result = await api.PATCH('/api/notifications/{id}/read', {
params: { path: { id: notificationId } } params: { path: { id: notificationId } }

7
frontend/src/routes/aktivitaeten/page.server.spec.ts
View File

@@ -185,6 +185,13 @@ function makeActionEvent(formData: FormData): any {
} }
describe('aktivitaeten/actions — dismiss-notification', () => { describe('aktivitaeten/actions — dismiss-notification', () => {
it('returns fail(400, { error }) and does NOT call PATCH when notificationId is missing', async () => {
const result = await actions['dismiss-notification'](makeActionEvent(new FormData()));
expect(result).toMatchObject({ status: 400 });
expect(mockApi.PATCH).not.toHaveBeenCalled();
});
it('calls PATCH /api/notifications/{id}/read with the form-supplied notificationId', async () => { it('calls PATCH /api/notifications/{id}/read with the form-supplied notificationId', async () => {
mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} }); mockApi.PATCH.mockResolvedValue({ response: { ok: true }, data: {} });
const fd = new FormData(); const fd = new FormData();