From 28040f44f41a5cae5168ea5ff74181621435530b Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Wed, 15 Apr 2026 12:47:53 +0100
Subject: [PATCH] refactor(board): atomic delete + query limit + composable
 cleanup

Delete uses findOneAndDelete with author match (no TOCTOU window);
existence check only runs on miss to distinguish 403 vs 404. Posts
list capped at 200. Drop unused resolveTagChannel and refreshParams;
route slack URL building through the composable's slackUrl helper.
---
 app/components/BoardPostCard.vue      |  4 +++-
 app/composables/useBoardChannels.js   | 14 -------------
 app/composables/useBoardPosts.js      | 16 ++++++---------
 app/pages/board.vue                   |  5 -----
 server/api/board/posts.get.js         |  1 +
 server/api/board/posts/[id].delete.js | 15 +++++++-------
 tests/server/api/board-posts.test.js  | 29 ++++++++++++---------------
 7 files changed, 30 insertions(+), 54 deletions(-)

diff --git a/app/components/BoardPostCard.vue b/app/components/BoardPostCard.vue
index 5f00f3f..ff6e9d4 100644
--- a/app/components/BoardPostCard.vue
+++ b/app/components/BoardPostCard.vue
@@ -86,6 +86,8 @@ const props = defineProps({
 
 defineEmits(['edit', 'delete', 'confirm-delete', 'cancel-delete'])
 
+const { slackUrl } = useBoardChannels()
+
 const capitalizeAvatar = (str) => {
   if (str.toLowerCase() === 'wtf') return 'WTF'
   return str
@@ -148,7 +150,7 @@ const slackLinks = computed(() => {
     .map((c) => ({
       id: c.slackChannelId,
       name: c.slackChannelName || c.name || c.slackChannelId,
-      url: `https://gammaspace.slack.com/archives/${c.slackChannelId}`,
+      url: slackUrl(c.slackChannelId),
     }))
 })
 </script>
diff --git a/app/composables/useBoardChannels.js b/app/composables/useBoardChannels.js
index d499b77..03eb872 100644
--- a/app/composables/useBoardChannels.js
+++ b/app/composables/useBoardChannels.js
@@ -1,7 +1,3 @@
-/**
- * Board Channels Composable
- * Shared state + helpers for mapping board tags to Slack channels.
- */
 export function useBoardChannels() {
   const channels = useState('board.channels', () => [])
 
@@ -11,15 +7,6 @@ export function useBoardChannels() {
     return channels.value
   }
 
-  function resolveTagChannel(tagSlugs = []) {
-    if (!tagSlugs?.length) return null
-    return (
-      channels.value.find((channel) =>
-        (channel.tagSlugs || []).some((slug) => tagSlugs.includes(slug))
-      ) || null
-    )
-  }
-
   function slackUrl(channelId) {
     return `https://gammaspace.slack.com/archives/${channelId}`
   }
@@ -27,7 +14,6 @@ export function useBoardChannels() {
   return {
     channels: readonly(channels),
     fetchChannels,
-    resolveTagChannel,
     slackUrl,
   }
 }
diff --git a/app/composables/useBoardPosts.js b/app/composables/useBoardPosts.js
index 3f0b0d9..987d6c8 100644
--- a/app/composables/useBoardPosts.js
+++ b/app/composables/useBoardPosts.js
@@ -1,7 +1,3 @@
-/**
- * Board Posts Composable
- * Shared state + CRUD for board posts.
- */
 export function useBoardPosts() {
   const posts = useState('board.posts', () => [])
   const loading = useState('board.loading', () => false)
@@ -17,29 +13,29 @@ export function useBoardPosts() {
     }
   }
 
-  async function createPost(body, refreshParams = {}) {
+  async function createPost(body) {
     const created = await $fetch('/api/board/posts', {
       method: 'POST',
       body,
     })
-    await fetchPosts(refreshParams)
+    await fetchPosts()
     return created
   }
 
-  async function updatePost(id, body, refreshParams = {}) {
+  async function updatePost(id, body) {
     const updated = await $fetch(`/api/board/posts/${id}`, {
       method: 'PATCH',
       body,
     })
-    await fetchPosts(refreshParams)
+    await fetchPosts()
     return updated
   }
 
-  async function deletePost(id, refreshParams = {}) {
+  async function deletePost(id) {
     const result = await $fetch(`/api/board/posts/${id}`, {
       method: 'DELETE',
     })
-    await fetchPosts(refreshParams)
+    await fetchPosts()
     return result
   }
 
diff --git a/app/pages/board.vue b/app/pages/board.vue
index 460c78b..6ee1af3 100644
--- a/app/pages/board.vue
+++ b/app/pages/board.vue
@@ -1,13 +1,11 @@
 <template>
   <PageShell title="Bulletin Board" :subtitle="pageSubtitle">
-    <!-- Action bar -->
     <div class="action-bar">
       <button type="button" class="new-post-btn" @click="openNewForm">
         + New Post
       </button>
     </div>
 
-    <!-- Tags Drawer Toggle -->
     <div v-if="cooperativeTags.length > 0" class="tags-drawer-toggle">
       <button type="button" class="drawer-btn" @click="showTagsDrawer = !showTagsDrawer">
         Tags...
@@ -15,7 +13,6 @@
       </button>
     </div>
 
-    <!-- Tags Drawer -->
     <div v-if="showTagsDrawer && cooperativeTags.length > 0" class="tags-drawer">
       <div class="skills-bar">
         <span class="tag-label">Filter:</span>
@@ -40,7 +37,6 @@
       </div>
     </div>
 
-    <!-- Inline form -->
     <div v-if="showForm" class="form-wrapper">
       <BoardPostForm
         :post="editingPost"
@@ -50,7 +46,6 @@
       />
     </div>
 
-    <!-- Content -->
     <ClientOnly>
       <div v-if="loading" class="loading-state">
         <p>Loading board...</p>
diff --git a/server/api/board/posts.get.js b/server/api/board/posts.get.js
index f170df4..9199312 100644
--- a/server/api/board/posts.get.js
+++ b/server/api/board/posts.get.js
@@ -17,6 +17,7 @@ export default defineEventHandler(async (event) => {
 
   const posts = await BoardPost.find(dbQuery)
     .sort({ createdAt: -1 })
+    .limit(200)
     .populate('author', 'name avatar circle board.slackHandle')
     .lean()
 
diff --git a/server/api/board/posts/[id].delete.js b/server/api/board/posts/[id].delete.js
index cb810ef..71a23d5 100644
--- a/server/api/board/posts/[id].delete.js
+++ b/server/api/board/posts/[id].delete.js
@@ -5,16 +5,15 @@ export default defineEventHandler(async (event) => {
   const member = await requireAuth(event)
   const id = getRouterParam(event, 'id')
 
-  const post = await BoardPost.findById(id)
-  if (!post) {
-    throw createError({ statusCode: 404, statusMessage: 'Post not found' })
-  }
+  const deleted = await BoardPost.findOneAndDelete({ _id: id, author: member._id })
 
-  if (post.author.toString() !== member._id.toString()) {
-    throw createError({ statusCode: 403, statusMessage: 'Not authorized to delete this post' })
+  if (!deleted) {
+    const exists = await BoardPost.exists({ _id: id })
+    throw createError({
+      statusCode: exists ? 403 : 404,
+      statusMessage: exists ? 'Not authorized to delete this post' : 'Post not found',
+    })
   }
 
-  await post.deleteOne()
-
   return { success: true }
 })
diff --git a/tests/server/api/board-posts.test.js b/tests/server/api/board-posts.test.js
index fc42b96..bcf2d0c 100644
--- a/tests/server/api/board-posts.test.js
+++ b/tests/server/api/board-posts.test.js
@@ -4,9 +4,11 @@ import { setResponseStatus } from 'h3'
 vi.stubGlobal('setResponseStatus', setResponseStatus)
 
 // --- Mocks ---
-const { mockFind, mockFindById, mockSaveInstance } = vi.hoisted(() => ({
+const { mockFind, mockFindById, mockFindOneAndDelete, mockExists, mockSaveInstance } = vi.hoisted(() => ({
   mockFind: vi.fn(),
   mockFindById: vi.fn(),
+  mockFindOneAndDelete: vi.fn(),
+  mockExists: vi.fn(),
   mockSaveInstance: vi.fn(),
 }))
 
@@ -25,6 +27,8 @@ vi.mock('../../../server/models/boardPost.js', () => {
   }
   BoardPost.find = mockFind
   BoardPost.findById = mockFindById
+  BoardPost.findOneAndDelete = mockFindOneAndDelete
+  BoardPost.exists = mockExists
   return { default: BoardPost }
 })
 
@@ -63,6 +67,7 @@ const MEMBER_ID = 'member-abc'
 function buildFindChain(result) {
   const chain = {
     sort: vi.fn().mockReturnThis(),
+    limit: vi.fn().mockReturnThis(),
     populate: vi.fn().mockReturnThis(),
     lean: vi.fn().mockResolvedValue(result),
   }
@@ -276,39 +281,31 @@ describe('DELETE /api/board/posts/[id]', () => {
   })
 
   it('deletes own post', async () => {
-    const deleteOne = vi.fn().mockResolvedValue({})
-    mockFindById.mockResolvedValue({
-      _id: 'post-1',
-      author: { toString: () => MEMBER_ID },
-      deleteOne,
-    })
+    mockFindOneAndDelete.mockResolvedValue({ _id: 'post-1' })
 
     const event = createMockEvent({ method: 'DELETE', path: '/api/board/posts/post-1' })
     event.context = { params: { id: 'post-1' } }
 
     const result = await deleteHandler(event)
 
-    expect(deleteOne).toHaveBeenCalled()
+    expect(mockFindOneAndDelete).toHaveBeenCalledWith({ _id: 'post-1', author: MEMBER_ID })
     expect(result).toEqual({ success: true })
   })
 
   it('rejects deleting another members post with 403', async () => {
-    const deleteOne = vi.fn()
-    mockFindById.mockResolvedValue({
-      _id: 'post-1',
-      author: { toString: () => 'someone-else' },
-      deleteOne,
-    })
+    mockFindOneAndDelete.mockResolvedValue(null)
+    mockExists.mockResolvedValue({ _id: 'post-1' })
 
     const event = createMockEvent({ method: 'DELETE', path: '/api/board/posts/post-1' })
     event.context = { params: { id: 'post-1' } }
 
     await expect(deleteHandler(event)).rejects.toMatchObject({ statusCode: 403 })
-    expect(deleteOne).not.toHaveBeenCalled()
   })
 
   it('returns 404 when post not found', async () => {
-    mockFindById.mockResolvedValue(null)
+    mockFindOneAndDelete.mockResolvedValue(null)
+    mockExists.mockResolvedValue(null)
+
     const event = createMockEvent({ method: 'DELETE', path: '/api/board/posts/missing' })
     event.context = { params: { id: 'missing' } }