From 59aefe9521fb9e64fbe11053ccdc73d5ef6ffd22 Mon Sep 17 00:00:00 2001
From: Simon <s.thiessen@local-it.org>
Date: Wed, 28 Jan 2026 10:45:05 +0100
Subject: [PATCH] fix: minor bugs

---
 lib/mv_web/live/group_live/show.ex | 36 +++++++++++++-----------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/lib/mv_web/live/group_live/show.ex b/lib/mv_web/live/group_live/show.ex
index 6b98da6..8114fa5 100644
--- a/lib/mv_web/live/group_live/show.ex
+++ b/lib/mv_web/live/group_live/show.ex
@@ -172,7 +172,8 @@ defmodule MvWeb.GroupLive.Show do
                   {ngettext(
                     "This group has %{count} member. All member-group associations will be permanently deleted.",
                     "This group has %{count} members. All member-group associations will be permanently deleted.",
-                    @group.member_count
+                    @group.member_count,
+                    count: @group.member_count
                   )}
                 </span>
               </div>
@@ -186,7 +187,7 @@ defmodule MvWeb.GroupLive.Show do
               <div class="p-2 mb-2 font-mono text-lg font-bold break-all rounded bg-base-200">
                 {@group.name}
               </div>
-              <form phx-change="update_name_confirmation" phx-debounce="200">
+              <form phx-change="update_name_confirmation">
                 <input
                   id="group-name-confirmation"
                   name="name"
@@ -194,6 +195,7 @@ defmodule MvWeb.GroupLive.Show do
                   value={@name_confirmation || ""}
                   placeholder={gettext("Enter the group name to confirm")}
                   autocomplete="off"
+                  phx-debounce="200"
                   class="w-full input input-bordered"
                 />
               </form>
@@ -243,29 +245,23 @@ defmodule MvWeb.GroupLive.Show do
 
   def handle_event("confirm_delete", %{"slug" => slug}, socket) do
     actor = current_actor(socket)
+    group = socket.assigns.group
 
-    # Server-side authorization check to prevent unauthorized delete attempts
-    if can?(actor, :destroy, Mv.Membership.Group) do
-      case Membership.get_group_by_slug(slug, actor: actor, load: []) do
-        {:ok, nil} ->
-          {:noreply,
-           socket
-           |> put_flash(:error, gettext("Group not found."))
-           |> redirect(to: ~p"/groups")}
-
-        {:ok, group} ->
-          handle_delete_confirmation(socket, group, actor)
-
-        {:error, _error} ->
-          {:noreply,
-           socket
-           |> put_flash(:error, gettext("Failed to load group."))
-           |> redirect(to: ~p"/groups")}
+    # Verify slug matches the group in assigns (prevents tampering)
+    if group.slug == slug do
+      # Server-side authorization check on the specific group record
+      if can?(actor, :destroy, group) do
+        handle_delete_confirmation(socket, group, actor)
+      else
+        {:noreply,
+         socket
+         |> put_flash(:error, gettext("Not authorized."))
+         |> redirect(to: ~p"/groups")}
       end
     else
       {:noreply,
        socket
-       |> put_flash(:error, gettext("Not authorized."))
+       |> put_flash(:error, gettext("Group not found."))
        |> redirect(to: ~p"/groups")}
     end
   end