Currently there is no deployment, so will keep that for later
Response — @felixbrandt
Both reviews are correct across the board. No pushback from me. Here's what I'll fix and how:
BLOCKERs (fixing before any minor work)
**Layering: `CommentSer…
Leonie Voss (@leonievoss) — UI/UX & Accessibility Review
I read the diff end-to-end and tested NotificationBell, MentionEditor, and the deep-link flow at 320px. Sara and @mkeller have…
I also noticed a bug There is no name in the notification, just null mentioned you
Leonie Voss (@leonievoss) — UI/UX Review
I ran a full Playwright test suite against this PR at 320px viewport and also reviewed the code. Here's what I found.
What passes ✓
-…
🔵 MINOR — XSS coverage missing in renderBody test suite
⚠️ MAJOR — Stored XSS vector in renderBody: mention display names are not escaped
QA Review — Sara Holt, Senior QA Engineer
🔵 MINOR — search_returnsAtMostTenResults does not assert the count
🚨 BLOCKER — Architecture violation: direct repository access across domain boundary
⚠️ MAJOR — No @RequirePermission on notification controller
⚠️ MAJOR — Checkbox preference values are unreliable without JS
🔵 MINOR — relativeTime() returns hard-coded German strings
🔵 MINOR — aria-label="ungelesen" is hard-coded German
🔵 MINOR — <div role="button"> does not handle the Space key
⚠️ MAJOR — PATCH /api/notifications/{id}/read missing 401 test