marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(notification): replace view-all anchor with button to prevent iframe navigation #552

Merged
marcel merged 5 commits from feat/issue-545-notification-dropdown-iframe-fix into main 2026-05-12 18:56:14 +02:00
Conversation 16 Commits 5 Files Changed 3 +45 -13

5 Commits

Author SHA1 Message Date
Marcel
89860403f6 fix(notification): remove role=link from view-all button — restores semantically honest button role
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 1m50s
Details
CI / OCR Service Tests (pull_request) Successful in 18s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m12s
Details
CI / fail2ban Regex (pull_request) Successful in 38s
Details
CI / Compose Bucket Idempotency (pull_request) Failing after 10s
Details
CI / Unit & Component Tests (push) Failing after 2m5s
Details
CI / OCR Service Tests (push) Successful in 17s
Details
CI / Backend Unit Tests (push) Successful in 4m14s
Details
CI / fail2ban Regex (push) Successful in 39s
Details
CI / Compose Bucket Idempotency (push) Failing after 12s
Details
nightly / deploy-staging (push) Failing after 2m36s
Details 
The role=link override on a <button> creates a WCAG 4.1.2 keyboard-contract
mismatch: ARIA role=link tells AT users "press Enter to activate (Space does
nothing)", but the native <button> responds to both Enter and Space. Removes
the override so the element is announced as "button" (accurate).

Test selectors updated from getByRole('link') to getByRole('button')
accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 18:01:38 +02:00
Marcel
6b78557954 refactor(notification-tests): use vi.mocked instead of type cast in call-order test 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 17:50:55 +02:00
Marcel
bc2dd3a98a fix(notification): add role=link and touch target to view-all button
Some checks failed
CI / Backend Unit Tests (push) Successful in 4m15s
Details
CI / fail2ban Regex (push) Successful in 39s
Details
CI / Compose Bucket Idempotency (push) Failing after 11s
Details
CI / OCR Service Tests (pull_request) Successful in 17s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m17s
Details
CI / Unit & Component Tests (push) Failing after 1m48s
Details
CI / OCR Service Tests (push) Successful in 17s
Details
CI / Unit & Component Tests (pull_request) Failing after 2m3s
Details
CI / fail2ban Regex (pull_request) Successful in 40s
Details
CI / Compose Bucket Idempotency (pull_request) Failing after 11s
Details 
- role="link" restores screen reader link semantics (Leonie blocker)
- min-h-[44px] px-1 meets WCAG 2.2 §2.5.8 and our 44×48px target size
- Comment in handleViewAll explains close-before-navigate ordering
- Tests updated to getByRole('link') + new call-order assertion

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 17:43:11 +02:00
Marcel
3005782a75 docs(adr-012): correct pattern note to document button+goto, not anchor+preventDefault 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 17:43:11 +02:00
Marcel
8ccc9aba1a fix(notification): replace view-all anchor with button to prevent iframe navigation 
SvelteKit's capture-phase link interceptor fires before the component's
onclick handler, so e.preventDefault() was structurally too late to stop
iframe navigation in vitest-browser. Replacing the <a href> with a
<button type="button"> removes the href entirely — the interceptor never
fires — and the existing goto() mock in tests is sufficient.

Also splits the single view-all test into two focused it() blocks and
clears mocks in afterEach to prevent cross-test mock leakage.

Fixes #551

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-12 17:43:11 +02:00