From 3cd71ed915fb63f28620923317557180cb9f74b8 Mon Sep 17 00:00:00 2001
From: Peter Drier <peter.drier@gmail.com>
Date: Wed, 15 Apr 2026 04:25:20 +0200
Subject: [PATCH 1/2] Show shift signups on profile to coordinators (#493)

Volunteer coordinators viewing another human's profile page now see
the ShiftSignups component, so they can review and manage that human's
signups without navigating to the admin view. Reuses the same gate as
the existing no-show history block (coordinator of any team or a
privileged signup approver).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Humans.Web/Controllers/ProfileController.cs | 4 +++-
 src/Humans.Web/Models/ProfileViewModel.cs       | 6 ++++++
 src/Humans.Web/Views/Profile/Index.cshtml       | 5 +++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/Humans.Web/Controllers/ProfileController.cs b/src/Humans.Web/Controllers/ProfileController.cs
index b64341201..7c18a808e 100644
--- a/src/Humans.Web/Controllers/ProfileController.cs
+++ b/src/Humans.Web/Controllers/ProfileController.cs
@@ -1009,10 +1009,11 @@ public async Task<IActionResult> ViewProfile(Guid id, CancellationToken ct)
 
         // Load no-show history for coordinators/NoInfoAdmin/Admin viewing other profiles
         List<NoShowHistoryItem>? noShowHistory = null;
+        var viewerCanViewShiftHistory = false;
         if (!isOwnProfile)
         {
             var viewerIsCoordinator = (await _shiftMgmt.GetCoordinatorTeamIdsAsync(viewer.Id)).Count > 0;
-            var viewerCanViewShiftHistory = viewerIsCoordinator || ShiftRoleChecks.IsPrivilegedSignupApprover(User);
+            viewerCanViewShiftHistory = viewerIsCoordinator || ShiftRoleChecks.IsPrivilegedSignupApprover(User);
 
             if (viewerCanViewShiftHistory)
             {
@@ -1047,6 +1048,7 @@ public async Task<IActionResult> ViewProfile(Guid id, CancellationToken ct)
             IsOwnProfile = isOwnProfile,
             IsApproved = profile.IsApproved,
             NoShowHistory = noShowHistory,
+            CanViewShiftSignups = viewerCanViewShiftHistory,
         };
 
         return View("Index", viewModel);
diff --git a/src/Humans.Web/Models/ProfileViewModel.cs b/src/Humans.Web/Models/ProfileViewModel.cs
index 91a49b7d9..82d79b3b7 100644
--- a/src/Humans.Web/Models/ProfileViewModel.cs
+++ b/src/Humans.Web/Models/ProfileViewModel.cs
@@ -313,6 +313,12 @@ public string? FormattedBirthday
     /// </summary>
     public List<NoShowHistoryItem>? NoShowHistory { get; set; }
 
+    /// <summary>
+    /// Whether the viewer can see the shift signups section (coordinators, signup approvers, admins).
+    /// Uses the same gate as NoShowHistory. Only meaningful when IsOwnProfile is false.
+    /// </summary>
+    public bool CanViewShiftSignups { get; set; }
+
     /// <summary>
     /// Languages for editing (owner only).
     /// </summary>
diff --git a/src/Humans.Web/Views/Profile/Index.cshtml b/src/Humans.Web/Views/Profile/Index.cshtml
index b2315114a..eb2ef5835 100644
--- a/src/Humans.Web/Views/Profile/Index.cshtml
+++ b/src/Humans.Web/Views/Profile/Index.cshtml
@@ -66,6 +66,11 @@
         }
         <vc:profile-card user-id="@Model.UserId" view-mode="@cardViewMode" />
 
+        @if (!Model.IsOwnProfile && Model.CanViewShiftSignups)
+        {
+            <vc:shift-signups user-id="@Model.UserId" view-mode="@ShiftSignupsViewMode.Admin" display-name="@Model.DisplayName" />
+        }
+
         @if (Model.NoShowHistory != null && Model.NoShowHistory.Count > 0)
         {
             <div class="card mb-3">

From a891681cca859b9dec5abd477c171c14520ec79f Mon Sep 17 00:00:00 2001
From: Peter Drier <peter.drier@gmail.com>
Date: Wed, 15 Apr 2026 04:28:04 +0200
Subject: [PATCH 2/2] Add CSP nonce to inline scripts on Profile/Edit (#495)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The eight inline <script> blocks in Views/Profile/Edit.cshtml were
missing nonce="@Context.Items[\"CspNonce\"]" attributes, so the strict
script-src CSP set by CspNonceMiddleware blocked them in standards-
compliant browsers (Firefox 149 reported by Ysalyne). The "+ Add
language" and "+ Add entry" buttons rely on those scripts to wire up
their click handlers, which is why the buttons appeared dead while CSS
hover/pressed states still worked.

The Google Maps loader script even calls
m.querySelector("script[nonce]")?.nonce to copy the page nonce onto
the dynamically-injected Maps script tag — which only makes sense if
the surrounding inline scripts were intended to carry the nonce in the
first place. Add it to all eight inline scripts so they execute under
the standard CSP policy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Humans.Web/Views/Profile/Edit.cshtml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Humans.Web/Views/Profile/Edit.cshtml b/src/Humans.Web/Views/Profile/Edit.cshtml
index 71f4315e8..6f6bbc593 100644
--- a/src/Humans.Web/Views/Profile/Edit.cshtml
+++ b/src/Humans.Web/Views/Profile/Edit.cshtml
@@ -504,13 +504,13 @@
 
     @if (!string.IsNullOrEmpty(ViewData["GoogleMapsApiKey"]?.ToString()))
     {
-        <script>
+        <script nonce="@Context.Items["CspNonce"]">
             (g=>{var h,a,k,p="The Google Maps JavaScript API",c="google",l="importLibrary",q="__ib__",m=document,b=window;b=b[c]||(b[c]={});var d=b.maps||(b.maps={}),r=new Set,e=new URLSearchParams,u=()=>h||(h=new Promise(async(f,n)=>{await (a=m.createElement("script"));e.set("libraries",[...r]+"");for(k in g)e.set(k.replace(/[A-Z]/g,t=>"_"+t[0].toLowerCase()),g[k]);e.set("callback",c+".maps."+q);a.src=`https://maps.${c}apis.com/maps/api/js?`+e;d[q]=f;a.onerror=()=>h=n(Error(p+" could not load."));a.nonce=m.querySelector("script[nonce]")?.nonce||"";m.head.append(a)}));d[l]?console.warn(p+" only loads once. Ignoring:",g):d[l]=(f,...n)=>r.add(f)&&u().then(()=>d[l](f,...n))})({
                 key: "@ViewData["GoogleMapsApiKey"]",
                 v: "weekly"
             });
         </script>
-        <script>
+        <script nonce="@Context.Items["CspNonce"]">
             async function initPlacesAutocomplete() {
                 try {
                     // Load the places library
@@ -605,12 +605,12 @@
     }
     else
     {
-        <script>
+        <script nonce="@Context.Items["CspNonce"]">
             console.warn("Google Maps API key not configured. Location autocomplete disabled.");
         </script>
     }
 
-    <script>
+    <script nonce="@Context.Items["CspNonce"]">
         (function() {
             const container = document.getElementById('contactFieldsContainer');
             const addButton = document.getElementById('addContactField');
@@ -921,7 +921,7 @@
             });
         })();
     </script>
-    <script>
+    <script nonce="@Context.Items["CspNonce"]">
         // Tier selection show/hide for application section and Asociado questions
         (function() {
             const tierRadios = document.querySelectorAll('input[name="SelectedTier"]');
@@ -943,7 +943,7 @@
             });
         })();
     </script>
-    <script>
+    <script nonce="@Context.Items["CspNonce"]">
         // Client-side CV validation: block submit if no CV rows and checkbox unchecked
         (function() {
             const form = document.querySelector('form[action*="Edit"]');
@@ -966,7 +966,7 @@
             });
         })();
     </script>
-    <script>
+    <script nonce="@Context.Items["CspNonce"]">
         // Toggle volunteer history section visibility based on "No Prior Burn Experience" checkbox
         (function() {
             const checkbox = document.getElementById('noPriorBurnCheckbox');
@@ -984,7 +984,7 @@
             checkbox.addEventListener('change', toggleHistorySection);
         })();
     </script>
-    <script>
+    <script nonce="@Context.Items["CspNonce"]">
         // Unsaved-changes guard
         (function () {
             const form = document.querySelector('form[action*="Edit"]');