Visiting mass-tag URL directly ignored masstag privileges and showed
tag/untag controls (although didn't show the controls in the header).
After this change, bypassing mass tag privileges got a little bit
harder. (It's still possible for the user to talk directly to the API
after all.)
In other words, verify the privileges client-side before issuing an
request to the server. This commit focuses on routing (e.g. clicking a
link while not logged in), rather than DOM element visibility that
should be already taken care of.
In e464e69 I removed href='#' but I noticed that it broke some things.
Readding href serves two purposes:
- it makes links reachable with Tab key
- it makes links clickable with Enter key
The alternative to this approach was to introduce [tabindex] and [role]
attributes. But not only using tabindex=0 with <a/> is questionable,
it'd require adding a keyboard handler that'd intercept space and return
key presses and simulated link clicks. Since it's best to leave this
kind of thing to the native UI, I went with readding hrefs instead. I
believe that hash hrefs, even though being a common practice, are silly,
so I decided to settle down with empty hrefs.
As a bonus, I added a snippet that prevents middle mouse clicks from
opening such links/buttons in new tabs, which was the motivation for
e464e69.
Every time the password reset form was loaded, the form submit event
listener was attached to a non-disposable DOM node rather than the DOM
node whose life scope was bound to the viewed page. As such, submitting
the form, leaving the page, returning back to it and sending the request
again caused the 'submit' event to fire twice - one time from the
non-disposed event handler and one from the current handler. This
resulted in the request being sent twice, and getting two confirmation
messages on the screen.
Fortunately, since the password reset requests are GET requests, they're
intercepted by the internal cache of the client API facade, so the
client just saw duplicate messages without the requests being actually
sent to the backend - meaning no extra mails were sent.
The lists in the post model (current state and original state) referred
to the same objects, so that making changes to current state was seen as
if no change has been made. This broke mass tag - it always thought
there were no changes to post tags.
The problem was with dangling references - the saved post has been
replacing the note collection with entirely new class instances, whereas
the notes control clung onto old references. Now the control detects
such reloads and acts accordingly.
This has important side effect that matters when we check for data
changes using _orig dictionary. Previously, _orig was empty (so its
members fields were undefiend) whereas the real fields were declared as
nulls. This meant that for new entities, the conditions were always
true, which is unintended. Now both _orig and the class itself are
initially populated with _updateFromResponse which syncs the state
between them, removing the problem.
- Hide fields that are uneditable, rather than disabling them
- Support fragmented edit privileges (e.g. roles than can edit only some
aspects of tags) - up until now the client tried to send everything at
once, which resulted in errors for such cases.
Hovering over an autocomplete box always selected the last element
rather than the element under the cursor. This is because resultIndex
was bound by reference.
This looks like a bug in FF implementation of "for (let [x, y] of ...)"
-rather than binding "x" and "y" to the scope of the loop, it's
equivalent to "for (var [x, y] of ...)", which causes nasty anomalies
for functions created inside the loop body.