jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(board): atomic delete + query limit + composable cleanup
Some checks failed
Test / vitest (push) Failing after 7m17s
Details
Test / playwright (push) Has been skipped
Details
Test / visual (push) Has been skipped
Details
Test / Notify on failure (push) Successful in 1s
Details

Browse source 
Delete uses findOneAndDelete with author match (no TOCTOU window);
existence check only runs on miss to distinguish 403 vs 404. Posts
list capped at 200. Drop unused resolveTagChannel and refreshParams;
route slack URL building through the composable's slackUrl helper.
This commit is contained in:
Jennie Robinson Faber 2026-04-15 12:47:53 +01:00
parent d1a1484daf
commit 28040f44f4
7 changed files with 30 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

1
server/api/board/posts.get.js
View file

@ -17,6 +17,7 @@ export default defineEventHandler(async (event) => {
const posts = await BoardPost.find(dbQuery)
.sort({ createdAt: -1 })
.limit(200)
.populate('author', 'name avatar circle board.slackHandle')
.lean()

15
server/api/board/posts/[id].delete.js
View file

@ -5,16 +5,15 @@ export default defineEventHandler(async (event) => {
const member = await requireAuth(event)
const id = getRouterParam(event, 'id')
const post = await BoardPost.findById(id)
if (!post) {
throw createError({ statusCode: 404, statusMessage: 'Post not found' })
}
const deleted = await BoardPost.findOneAndDelete({ _id: id, author: member._id })
if (post.author.toString() !== member._id.toString()) {
throw createError({ statusCode: 403, statusMessage: 'Not authorized to delete this post' })
if (!deleted) {
const exists = await BoardPost.exists({ _id: id })
throw createError({
statusCode: exists ? 403 : 404,
statusMessage: exists ? 'Not authorized to delete this post' : 'Post not found',
})
}
await post.deleteOne()
return { success: true }
})