fix(timeline): harden curator event precision field
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 2m51s
CI / OCR Service Tests (pull_request) Successful in 24s
CI / Backend Unit Tests (pull_request) Successful in 4m35s
CI / fail2ban Regex (pull_request) Successful in 47s
CI / Semgrep Security Scan (pull_request) Successful in 23s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m7s
SDD Gate / RTM Check (pull_request) Successful in 13s
SDD Gate / Contract Validate (pull_request) Successful in 22s
SDD Gate / Constitution Impact (pull_request) Successful in 17s
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 2m51s
CI / OCR Service Tests (pull_request) Successful in 24s
CI / Backend Unit Tests (pull_request) Successful in 4m35s
CI / fail2ban Regex (pull_request) Successful in 47s
CI / Semgrep Security Scan (pull_request) Successful in 23s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m7s
SDD Gate / RTM Check (pull_request) Successful in 13s
SDD Gate / Contract Validate (pull_request) Successful in 22s
SDD Gate / Constitution Impact (pull_request) Successful in 17s
- Validate the submitted precision against the DatePrecision allow-list in parseEventForm (falls back to DAY) so an untrusted token can't flow into the request body — symmetric with the existing `type` narrowing. - Parameterize the precision input name via DatePrecisionField's new precisionInputName prop; the timeline form now submits `precision` instead of the misleading document-domain `metaDatePrecision`. Document form keeps the default, so its behaviour is unchanged. - Capture EventTypeSelect's onchange into EventForm's `type` state so it no longer goes stale (the submitted value was already correct via the hidden input; this keeps the local state in sync). Addresses PR #832 review (#781). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
@@ -62,7 +62,7 @@ let selectedDocuments = $state<DocumentOption[]>(
|
||||
event?.documents
|
||||
? event.documents.map((d) => ({
|
||||
// Graceful degradation: DocumentRef has no precision fields. formatDocumentOption
|
||||
// falls back to the bare title when documentDate is the only date info present.
|
||||
// defaults a missing precision to DAY, so the chip shows the full documentDate.
|
||||
id: d.id,
|
||||
title: d.title,
|
||||
documentDate: d.documentDate
|
||||
@@ -196,7 +196,10 @@ async function confirmDelete(e: SubmitEvent) {
|
||||
<span class="mb-1 block text-sm font-medium text-ink-2"
|
||||
>{m.event_editor_type_label()}</span
|
||||
>
|
||||
<EventTypeSelect value={type} name="type" onchange={() => markDirty()} />
|
||||
<EventTypeSelect value={type} name="type" onchange={(t) => {
|
||||
type = t;
|
||||
markDirty();
|
||||
}} />
|
||||
</div>
|
||||
|
||||
<div class="grid grid-cols-1 gap-5 md:grid-cols-2">
|
||||
@@ -206,6 +209,7 @@ async function confirmDelete(e: SubmitEvent) {
|
||||
bind:endDateIso={endDateIso}
|
||||
dateInputName="eventDate"
|
||||
endDateInputName="eventDateEnd"
|
||||
precisionInputName="precision"
|
||||
dateLabel={m.form_label_date()}
|
||||
dateTestId="event-date"
|
||||
precisionTestId="event-precision"
|
||||
|
||||
Reference in New Issue
Block a user