letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(documents): defense-in-depth port_id scope + invisible chevron a11y

Browse Source 
- renameFolder/moveFolder UPDATE and deleteFolderSoftRescue DELETE now
  carry an explicit port_id predicate so the write is bounded to the
  same tenancy the pre-fetch verified, defending against future
  refactors that drop or reorder the ownership check.
- FolderRow's collapsed-children chevron is `invisible` for layout
  purposes, but it was still in the tab order with a misleading
  Expand/Collapse aria-label. Add aria-hidden + tabIndex=-1 when no
  children so keyboard users skip it.

Surfaced by post-implementation review (subagent code-review pass).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-10 16:50:02 +02:00
parent ae68e384ca
commit cf8bbf3018
2 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/components/documents/folder-tree-sidebar.tsx
View File

@@ -122,6 +122,8 @@ function FolderRow({
<button
type="button"
aria-label={open ? 'Collapse' : 'Expand'}
aria-hidden={!hasChildren}
tabIndex={hasChildren ? 0 : -1}
onClick={() => setOpen((o) => !o)}
className={cn(
'flex h-5 w-5 items-center justify-center text-muted-foreground hover:text-foreground',