Profile fixes: shift signups for coordinators + Firefox edit buttons (#493, #495)#229
Open
peterdrier wants to merge 3 commits intomainfrom
Open
Profile fixes: shift signups for coordinators + Firefox edit buttons (#493, #495)#229peterdrier wants to merge 3 commits intomainfrom
peterdrier wants to merge 3 commits intomainfrom
Conversation
- nobodies-collective#497: Catch OperationCanceledException in ProfileController.Picture and return 499 without logging when the client aborted. - nobodies-collective#499: Drop LogWarning wrapping ValidationException from UserEmailService.AddEmailAsync; user-input validation is expected. - nobodies-collective#500: Drop LogWarning wrapping "cannot delete shift with signups" in ShiftAdminController.DeleteShift; this is an expected guardrail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Volunteer coordinators viewing another human's profile page now see the ShiftSignups component, so they can review and manage that human's signups without navigating to the admin view. Reuses the same gate as the existing no-show history block (coordinator of any team or a privileged signup approver). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
) The eight inline <script> blocks in Views/Profile/Edit.cshtml were missing nonce="@Context.Items[\"CspNonce\"]" attributes, so the strict script-src CSP set by CspNonceMiddleware blocked them in standards- compliant browsers (Firefox 149 reported by Ysalyne). The "+ Add language" and "+ Add entry" buttons rely on those scripts to wire up their click handlers, which is why the buttons appeared dead while CSS hover/pressed states still worked. The Google Maps loader script even calls m.querySelector("script[nonce]")?.nonce to copy the page nonce onto the dynamically-injected Maps script tag — which only makes sense if the surrounding inline scripts were intended to carry the nonce in the first place. Add it to all eight inline scripts so they execute under the standard CSP policy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The preview deployment for humans-qa is ready. 🟢 Open Preview | Open Build Logs | Open Application Logs Last updated at: 2026-04-15 02:32:05 CET |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two profile-related fixes:
Show member shift signups on profile page to Volunteer Coordinators nobodies-collective/Humans#493 — Volunteer coordinators viewing another human's profile now see the ShiftSignups component (previously only visible on the admin detail view). Reuses the existing no-show-history gate (
viewerIsCoordinator || ShiftRoleChecks.IsPrivilegedSignupApprover(User)) so the surface is consistent across both blocks. NewCanViewShiftSignupsflag onProfileViewModelplus an@ifblock inViews/Profile/Index.cshtml.Profile/Edit — language and burner CV add buttons don't respond to clicks (Firefox) nobodies-collective/Humans#495 —
+ Add languageand+ Add entry(burner CV) buttons on/Profile/Me/Editdid nothing on click in Firefox 149. Root cause: every inline<script>block inViews/Profile/Edit.cshtmlwas missing thenonce="@Context.Items[\"CspNonce\"]"attribute, so the strictscript-srcpolicy fromCspNonceMiddlewareblocked them. The Google Maps loader inside the same file already callsm.querySelector(\"script[nonce]\")?.nonceto copy the page nonce onto its dynamically-injected tag — which only makes sense if the surrounding scripts were intended to carry the nonce. Added the nonce attribute to all eight inline scripts. CSS hover/pressed states still rendering was the giveaway: the page DOM was fine, only the JS handlers were dead.Test plan
/Profile/{id}, confirm the ShiftSignups card renders./Profile/{id}/Adminas admin, confirm the existing AdminDetail view still shows signups (untouched)./Profile/Me/Edit, click+ Add languageand+ Add entry, confirm new rows appear and remove buttons work.Closes nobodies-collective#493
Closes nobodies-collective#495
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com