fix: minor bugs

2026-01-28 10:45:05 +01:00 · 2026-01-28 10:45:05 +01:00 · 59aefe9521
commit 59aefe9521
parent ddc8335cc0
1 changed files with 16 additions and 20 deletions
--- a/lib/mv_web/live/group_live/show.ex
+++ b/lib/mv_web/live/group_live/show.ex
@ -172,7 +172,8 @@ defmodule MvWeb.GroupLive.Show do
                  {ngettext(
                    "This group has %{count} member. All member-group associations will be permanently deleted.",
                    "This group has %{count} members. All member-group associations will be permanently deleted.",
-                    @group.member_count
+                    @group.member_count,
+                    count: @group.member_count
                  )}
                </span>
              </div>
@ -186,7 +187,7 @@ defmodule MvWeb.GroupLive.Show do
              <div class="p-2 mb-2 font-mono text-lg font-bold break-all rounded bg-base-200">
                {@group.name}
              </div>
-              <form phx-change="update_name_confirmation" phx-debounce="200">
+              <form phx-change="update_name_confirmation">
                <input
                  id="group-name-confirmation"
                  name="name"
@ -194,6 +195,7 @@ defmodule MvWeb.GroupLive.Show do
                  value={@name_confirmation || ""}
                  placeholder={gettext("Enter the group name to confirm")}
                  autocomplete="off"
+                  phx-debounce="200"
                  class="w-full input input-bordered"
                />
              </form>
@ -243,29 +245,23 @@ defmodule MvWeb.GroupLive.Show do

  def handle_event("confirm_delete", %{"slug" => slug}, socket) do
    actor = current_actor(socket)
+    group = socket.assigns.group

-    # Server-side authorization check to prevent unauthorized delete attempts
-    if can?(actor, :destroy, Mv.Membership.Group) do
-      case Membership.get_group_by_slug(slug, actor: actor, load: []) do
-        {:ok, nil} ->
-          {:noreply,
-           socket
-           |> put_flash(:error, gettext("Group not found."))
-           |> redirect(to: ~p"/groups")}
-
-        {:ok, group} ->
+    # Verify slug matches the group in assigns (prevents tampering)
+    if group.slug == slug do
+      # Server-side authorization check on the specific group record
+      if can?(actor, :destroy, group) do
        handle_delete_confirmation(socket, group, actor)
-
-        {:error, _error} ->
+      else
        {:noreply,
         socket
-           |> put_flash(:error, gettext("Failed to load group."))
+         |> put_flash(:error, gettext("Not authorized."))
         |> redirect(to: ~p"/groups")}
      end
    else
      {:noreply,
       socket
-       |> put_flash(:error, gettext("Not authorized."))
+       |> put_flash(:error, gettext("Group not found."))
       |> redirect(to: ~p"/groups")}
    end
  end