fix(audit): MEDIUMs sweep — mobile More-sheet, portal profile, inline override, dialog UX, ext-EOI gate
R2-M11: mobile More-sheet missing 4 destinations. Added Reservations, Notifications, Residential, Website analytics — anyone using mobile chrome to triage on the go can now reach those domains. R2-M12: portal had no profile / change-password surface. New /portal/profile page with read-only contact details + a ChangePasswordForm component, backed by a new POST /api/portal/auth/change-password endpoint and changePortalPassword() service function. Audits both ok and failure cases at warning severity. Added Profile to PortalNav. R2-M1: portal dashboard "My Memberships" tile had no href and no /portal/memberships route — dead-end on tap. Hidden until a memberships page ships; the count remains in the underlying data. R2-M7: InlineStagePicker never sent override:true so users with interests.override_stage couldn't actually use the perm from the inline chip — they had to fall back to the modal picker. Now the picker auto-detects when a transition isn't legal AND the user has override_stage, sets override:true, and supplies a default reason. Frontend M2: hard-delete-dialog confirm stage now has a "Send a new code" link in case the original expired before the user could enter it. Avoids forcing a full Cancel + reopen. Frontend M4: audit-log-list date-range validation. From > To now shows an inline error and skips the request rather than firing an empty-range query that surfaces "no entries found". R2-M6: external-EOI route now requires interests.edit AND documents.upload_signed (defense-in-depth) — uploading a signed EOI mutates interest state, so the upload-signed perm alone shouldn't let a custom role flip an interest. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -140,8 +140,12 @@ export function AuditLogList() {
|
||||
if (source !== 'all') params.set('source', source);
|
||||
if (debouncedSearch) params.set('search', debouncedSearch);
|
||||
if (debouncedUserId) params.set('userId', debouncedUserId);
|
||||
if (dateFrom) params.set('dateFrom', new Date(dateFrom).toISOString());
|
||||
if (dateTo) {
|
||||
// Skip the date filters when From > To — the inline warning below
|
||||
// tells the user to fix it; we don't want to fire a request with a
|
||||
// useless empty range either.
|
||||
const datesValid = !(dateFrom && dateTo && dateFrom > dateTo);
|
||||
if (datesValid && dateFrom) params.set('dateFrom', new Date(dateFrom).toISOString());
|
||||
if (datesValid && dateTo) {
|
||||
const end = new Date(dateTo);
|
||||
end.setHours(23, 59, 59, 999);
|
||||
params.set('dateTo', end.toISOString());
|
||||
@@ -207,6 +211,8 @@ export function AuditLogList() {
|
||||
Boolean(dateFrom) ||
|
||||
Boolean(dateTo);
|
||||
|
||||
const dateRangeInvalid = Boolean(dateFrom && dateTo && dateFrom > dateTo);
|
||||
|
||||
const columns: ColumnDef<AuditEntry, unknown>[] = [
|
||||
{
|
||||
accessorKey: 'createdAt',
|
||||
@@ -475,6 +481,12 @@ export function AuditLogList() {
|
||||
) : null}
|
||||
</div>
|
||||
|
||||
{dateRangeInvalid && (
|
||||
<p className="mt-2 text-xs text-destructive">
|
||||
From date must be on or before To date — date filter ignored.
|
||||
</p>
|
||||
)}
|
||||
|
||||
{loadError && !loading && entries.length === 0 ? (
|
||||
<div className="mt-4 rounded-md border border-destructive/30 bg-destructive/5 p-4 text-sm space-y-2">
|
||||
<p className="text-destructive">Couldn’t load audit log: {loadError}</p>
|
||||
|
||||
Reference in New Issue
Block a user