fix(audit): MEDIUMs sweep — mobile More-sheet, portal profile, inline override, dialog UX, ext-EOI gate

R2-M11: mobile More-sheet missing 4 destinations. Added Reservations, Notifications, Residential, Website analytics — anyone using mobile chrome to triage on the go can now reach those domains. R2-M12: portal had no profile / change-password surface. New /portal/profile page with read-only contact details + a ChangePasswordForm component, backed by a new POST /api/portal/auth/change-password endpoint and changePortalPassword() service function. Audits both ok and failure cases at warning severity. Added Profile to PortalNav. R2-M1: portal dashboard "My Memberships" tile had no href and no /portal/memberships route — dead-end on tap. Hidden until a memberships page ships; the count remains in the underlying data. R2-M7: InlineStagePicker never sent override:true so users with interests.override_stage couldn't actually use the perm from the inline chip — they had to fall back to the modal picker. Now the picker auto-detects when a transition isn't legal AND the user has override_stage, sets override:true, and supplies a default reason. Frontend M2: hard-delete-dialog confirm stage now has a "Send a new code" link in case the original expired before the user could enter it. Avoids forcing a full Cancel + reopen. Frontend M4: audit-log-list date-range validation. From > To now shows an inline error and skips the request rather than firing an empty-range query that surfaces "no entries found". R2-M6: external-EOI route now requires interests.edit AND documents.upload_signed (defense-in-depth) — uploading a signed EOI mutates interest state, so the upload-signed perm alone shouldn't let a custom role flip an interest. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:38:59 +02:00
parent da7ede71d6
commit b4fb3b2ca6
11 changed files with 303 additions and 18 deletions
--- a/src/app/(portal)/portal/dashboard/page.tsx
+++ b/src/app/(portal)/portal/dashboard/page.tsx
@@ -1,5 +1,5 @@
 import { redirect } from 'next/navigation';
-import { Anchor, FileText, Receipt, Sailboat, Building2, CalendarCheck } from 'lucide-react';
+import { Anchor, FileText, Receipt, Sailboat, CalendarCheck } from 'lucide-react';
 import type { Metadata } from 'next';

 import { getPortalSession } from '@/lib/portal/auth';
@@ -55,12 +55,9 @@ export default async function PortalDashboardPage() {
          icon={Sailboat}
          href="/portal/my-yachts"
        />
-        <PortalCard
-          title="My Memberships"
-          value={dashboard.counts.memberships}
-          description="Companies where you hold an active role"
-          icon={Building2}
-        />
+        {/* My Memberships tile was a dead-end (no href, no /portal/memberships
+            route). Hidden until a memberships page ships. The count is still
+            available in the underlying dashboard data when needed. */}
        <PortalCard
          title="My Active Reservations"
          value={dashboard.counts.activeReservations}
--- a/src/app/(portal)/portal/profile/page.tsx
+++ b/src/app/(portal)/portal/profile/page.tsx
@@ -0,0 +1,42 @@
+import { redirect } from 'next/navigation';
+import type { Metadata } from 'next';
+
+import { getPortalSession } from '@/lib/portal/auth';
+import { ChangePasswordForm } from '@/components/portal/change-password-form';
+
+export const metadata: Metadata = { title: 'Profile' };
+
+export default async function PortalProfilePage() {
+  const session = await getPortalSession();
+  if (!session) redirect('/portal/login');
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h1 className="text-2xl font-semibold text-gray-900">Profile</h1>
+        <p className="text-sm text-gray-500 mt-1">
+          Read-only contact details and self-service password change.
+        </p>
+      </div>
+
+      <div className="bg-white rounded-lg border p-6 space-y-2 text-sm">
+        <div className="flex items-baseline justify-between">
+          <span className="text-gray-500">Email</span>
+          <span className="font-medium">{session.email}</span>
+        </div>
+        <p className="text-xs text-gray-400 pt-1">
+          To update name, phone, or address, please contact your port team — they keep the records
+          authoritative.
+        </p>
+      </div>
+
+      <div className="bg-white rounded-lg border p-6">
+        <h2 className="text-base font-semibold text-gray-900 mb-1">Change password</h2>
+        <p className="text-sm text-gray-500 mb-4">
+          You&rsquo;ll need your current password to confirm.
+        </p>
+        <ChangePasswordForm />
+      </div>
+    </div>
+  );
+}