fixes

Author: ntietje1

.github/workflows/ci.yml

@@ -51,7 +51,7 @@ jobs:
         with:
           annotations: true
           fail-on-issues: false
-          format: json
+          format: sarif
 
   react-compiler:
     name: React Compiler Health

convex/_test/factories.helper.ts

@@ -85,7 +85,7 @@ export async function createUserProfile(
   const data = {
     ...defaults,
     ...rest,
-    ...(username ? { username: assertUsername(username) } : {}),
+    ...(username !== undefined ? { username: assertUsername(username) } : {}),
   }
   const id = await t.run(async (ctx) => {
     return await ctx.db.insert('userProfiles', data)
@@ -118,7 +118,7 @@ export async function createCampaignWithDm(
     ...defaults,
     ...rest,
     dmUserId: dmProfile._id,
-    ...(slug ? { slug: assertCampaignSlug(slug) } : {}),
+    ...(slug !== undefined ? { slug: assertCampaignSlug(slug) } : {}),
   }
   const campaignId = await t.run(async (ctx) => {
     return await ctx.db.insert('campaigns', campaignData)
@@ -229,7 +229,8 @@ async function insertSidebarItem(
     name: _name,
     ...sidebarOverrides
   } = overrides ?? {}
-  const validatedSlug = slug ? assertSidebarItemSlug(slug) : assertSidebarItemSlug(slugify(name))
+  const validatedSlug =
+    slug !== undefined ? assertSidebarItemSlug(slug) : assertSidebarItemSlug(slugify(name))
 
   const sharedData = {
     ...sidebarItemBase(campaignId, creatorProfileId, name),

convex/sidebarItems/__tests__/sidebarItemValidation.test.ts

@@ -21,12 +21,15 @@ import {
 } from '../validation/name'
 import {
   getAncestorIds,
+  validateCreateParentTarget,
   validateNoCircularParent,
   validateNoCircularParentAsync,
 } from '../validation/parent'
 import { validateLocalSidebarMove } from '../validation/move'
 import { validateItemSlug } from '../validation/slug'
 import type { Id } from '../../_generated/dataModel'
+import { SIDEBAR_ITEM_TYPES } from '../types/baseTypes'
+import type { AnySidebarItem } from '../types/types'
 
 describe('validateItemName', () => {
   it('accepts a valid name', () => {
@@ -376,6 +379,25 @@ describe('validateLocalSidebarMove', () => {
     expect(result).toEqual({ valid: true })
   })
 
+  it('rejects missing target parents before other move validation', () => {
+    const result = validateLocalSidebarMove(
+      {
+        itemId: testId<'sidebarItems'>('item'),
+        name: 'Alpha',
+        parentId: testId<'sidebarItems'>('missing-parent'),
+      },
+      {
+        getParent: () => undefined,
+        getSiblings: () => [],
+      },
+    )
+
+    expect(result).toEqual({
+      valid: false,
+      error: 'Cannot move item: target parent does not exist',
+    })
+  })
+
   it('checks sibling conflicts for regular moves', () => {
     const result = validateLocalSidebarMove(
       {
@@ -393,6 +415,33 @@ describe('validateLocalSidebarMove', () => {
   })
 })
 
+describe('validateCreateParentTarget', () => {
+  it('rejects path targets whose base parent is not a folder', () => {
+    const noteId = testId<'sidebarItems'>('note-parent')
+    const noteParent = {
+      _id: noteId,
+      type: SIDEBAR_ITEM_TYPES.notes,
+      parentId: null,
+      name: 'Leaf Note',
+    } as unknown as AnySidebarItem
+
+    const result = validateCreateParentTarget(
+      {
+        kind: 'path',
+        baseParentId: noteId,
+        pathSegments: [],
+      },
+      new Map([[noteId, noteParent]]),
+      new Map([[null, [noteParent]]]),
+    )
+
+    expect(result).toEqual({
+      valid: false,
+      error: 'Parent is not a folder',
+    })
+  })
+})
+
 describe('cross-table slug uniqueness', () => {
   const t = createTestContext()
 

convex/sidebarItems/functions/moveSidebarItem.ts

@@ -16,12 +16,12 @@ import { deduplicateName } from './defaultItemName'
 import { trashTree, restoreTreeDescendants } from './treeOperations'
 import { getSidebarItem } from './getSidebarItem'
 import { collectDescendants } from './collectDescendants'
-import { assertSidebarItemName } from '../validation/name'
 import type { SidebarItemLocation } from '../types/baseTypes'
 import type { AnySidebarItemRow } from '../types/types'
 import type { CampaignMutationCtx } from '../../functions'
 import type { Id } from '../../_generated/dataModel'
 import type { SidebarItemName } from '../validation/name'
+import type { SidebarItemSlug } from '../validation/slug'
 
 const clearDeletion = { deletionTime: null, deletedBy: null }
 
@@ -63,19 +63,19 @@ async function resyncRelativeLinksForMovedItems(
 async function resolveRestoreConflicts(
   ctx: CampaignMutationCtx,
   item: AnySidebarItemRow,
-): Promise<{ name?: SidebarItemName; slug?: string }> {
+): Promise<{ name?: SidebarItemName; slug?: SidebarItemSlug }> {
   const siblings = await getSidebarItemsByParent(ctx, {
     parentId: item.parentId,
   })
   const otherNames = siblings.filter((s) => s._id !== item._id).map((s) => s.name)
 
-  const uniqueName = assertSidebarItemName(deduplicateName(item.name, otherNames))
+  const uniqueName = deduplicateName(item.name, otherNames) as SidebarItemName
   const uniqueSlug = await findUniqueSidebarItemSlug(ctx, {
     itemId: item._id,
     name: uniqueName,
   })
 
-  const patch: { name?: SidebarItemName; slug?: string } = {}
+  const patch: { name?: SidebarItemName; slug?: SidebarItemSlug } = {}
   if (uniqueName !== item.name) patch.name = uniqueName
   if (uniqueSlug !== item.slug) patch.slug = uniqueSlug
   return patch

convex/sidebarItems/functions/treeOperations.ts

@@ -1,13 +1,13 @@
 import { SIDEBAR_ITEM_LOCATION, SIDEBAR_ITEM_TYPES } from '../types/baseTypes'
 import { findUniqueSidebarItemSlug } from '../validation/orchestration'
-import { assertSidebarItemName } from '../validation/name'
 import { collectDescendants } from './collectDescendants'
 import { hardDeleteItem } from './hardDeleteItem'
 import type { SidebarItemLocation } from '../types/baseTypes'
 import type { CampaignMutationCtx } from '../../functions'
 import type { Id } from '../../_generated/dataModel'
 import type { MutationCtx } from '../../_generated/server'
 import type { AnySidebarItemRow } from '../types/types'
+import type { SidebarItemName } from '../validation/name'
 
 type ItemOperation = (ctx: MutationCtx, item: AnySidebarItemRow) => Promise<void>
 
@@ -59,7 +59,7 @@ export async function restoreTreeDescendants(
     if (i._id === item._id) return
     if (i.location !== SIDEBAR_ITEM_LOCATION.trash) return
 
-    const name = assertSidebarItemName(i.name)
+    const name = i.name as SidebarItemName
     const slug = await findUniqueSidebarItemSlug(ctx, {
       itemId: i._id,
       name,

convex/sidebarItems/validation/move.ts

@@ -37,6 +37,13 @@ export function validateLocalSidebarMove(
     return { valid: true }
   }
 
+  if (parentId !== null && !getParent(parentId)) {
+    return {
+      valid: false,
+      error: 'Cannot move item: target parent does not exist',
+    }
+  }
+
   const parentResult = validateNoCircularParent(itemId, parentId, getParent)
   if (!parentResult.valid) {
     return {

convex/sidebarItems/validation/orchestration.ts

@@ -1,13 +1,10 @@
 import { findUniqueSlug } from '../../common/slug'
 import { CAMPAIGN_MEMBER_ROLE } from '../../campaigns/types'
 import { ERROR_CODE, throwClientError } from '../../errors'
-import { hasAtLeastPermissionLevel } from '../../permissions/hasAtLeastPermissionLevel'
 import { PERMISSION_LEVEL } from '../../permissions/types'
-import { getSidebarItemPermissionLevel } from '../../sidebarShares/functions/sidebarItemPermissions'
 import type { CampaignQueryCtx } from '../../functions'
 import type { Id } from '../../_generated/dataModel'
 import { getSidebarItem } from '../functions/getSidebarItem'
-import { getSidebarItemWithContent } from '../functions/getSidebarItemWithContent'
 import { getSidebarItemsByParent } from '../functions/getSidebarItemsByParent'
 import { SIDEBAR_ITEM_TYPES } from '../types/baseTypes'
 import type { AnySidebarItem } from '../types/types'
@@ -75,10 +72,10 @@ export async function validateSidebarParentChange(
     if (!parentFromDb) {
       throwClientError(ERROR_CODE.NOT_FOUND, 'Parent not found')
     }
-    if (parentFromDb && parentFromDb.type !== SIDEBAR_ITEM_TYPES.folders) {
+    if (parentFromDb.type !== SIDEBAR_ITEM_TYPES.folders) {
       throwClientError(ERROR_CODE.VALIDATION_FAILED, 'Parent must be a folder')
     }
-    if (parentFromDb && parentFromDb.location !== item.location) {
+    if (parentFromDb.location !== item.location) {
       throwClientError(
         ERROR_CODE.VALIDATION_FAILED,
         'Cannot move items into a folder in a different location',
@@ -97,20 +94,17 @@ export async function validateSidebarCreateParent(
 ): Promise<void> {
   const { membership } = ctx
   if (parentId) {
-    const parentItem = await getSidebarItemWithContent(ctx, parentId)
+    const parentItem = await getSidebarItem(ctx, parentId)
     if (!parentItem) {
       throwClientError(ERROR_CODE.NOT_FOUND, 'Parent not found')
     }
     if (parentItem.type !== SIDEBAR_ITEM_TYPES.folders) {
       throwClientError(ERROR_CODE.VALIDATION_FAILED, 'Parent must be a folder')
     }
-    const level = await getSidebarItemPermissionLevel(ctx, { item: parentItem })
-    if (!hasAtLeastPermissionLevel(level, PERMISSION_LEVEL.FULL_ACCESS)) {
-      throwClientError(
-        ERROR_CODE.PERMISSION_DENIED,
-        'You do not have sufficient permission for this item',
-      )
-    }
+    await requireItemAccess(ctx, {
+      rawItem: parentItem,
+      requiredLevel: PERMISSION_LEVEL.FULL_ACCESS,
+    })
   } else if (membership.role !== CAMPAIGN_MEMBER_ROLE.DM) {
     throwClientError(ERROR_CODE.PERMISSION_DENIED, 'Only the DM can create items at the root level')
   }

convex/sidebarItems/validation/parent.ts

@@ -239,6 +239,15 @@ export function validateCreateParentTarget(
   if (!parentStack) {
     return { valid: false, error: 'Parent not found' }
   }
+  if (parentTarget.baseParentId !== null) {
+    const baseParent = itemsMap.get(parentTarget.baseParentId)
+    if (!baseParent) {
+      return { valid: false, error: 'Parent not found' }
+    }
+    if (baseParent.type !== SIDEBAR_ITEM_TYPES.folders) {
+      return { valid: false, error: 'Parent is not a folder' }
+    }
+  }
 
   const traversalStack: Array<ParentRef> = [...parentStack]
 

src/features/campaigns/hooks/useCampaign.ts

@@ -11,7 +11,7 @@ import type { CampaignSlug } from 'convex/campaigns/validation'
 import type { Username } from 'convex/users/validation'
 import { useAuthQuery } from '~/shared/hooks/useAuthQuery'
 
-export type CampaignRouteIdentity = {
+type CampaignRouteIdentity = {
   dmUsername: Username
   campaignSlug: CampaignSlug
 }

src/features/settings/components/tabs/campaign-people/__tests__/people-tab.test.tsx

@@ -8,6 +8,7 @@ import { createCampaign, createCampaignMember } from '~/test/factories/campaign-
 import { mockAuthQuery } from '~/test/mocks/convex-mocks'
 import { TestWrapper } from '~/test/test-wrapper'
 import { useAuthQuery } from '~/shared/hooks/useAuthQuery'
+import { getOrigin } from '~/shared/utils/origin'
 
 vi.mock('~/features/campaigns/hooks/useCampaign', () => ({
   useOptionalCampaign: vi.fn(),
@@ -44,10 +45,15 @@ vi.mock('~/shared/hooks/useAuthQuery', () => ({
   useAuthQuery: vi.fn(),
 }))
 
+vi.mock('~/shared/utils/origin', () => ({
+  getOrigin: vi.fn(),
+}))
+
 describe('PeopleTab', () => {
   beforeEach(() => {
     vi.mocked(useOptionalCampaign).mockReset()
     vi.mocked(useAuthQuery).mockReset()
+    vi.mocked(getOrigin).mockReset()
   })
 
   it('renders on campaign routes without requiring CampaignProvider', () => {
@@ -106,6 +112,7 @@ describe('PeopleTab', () => {
       isCampaignLoaded: true,
       campaignId: campaign._id,
     })
+    vi.mocked(getOrigin).mockReturnValue('https://example.test')
     const readyMembers = [
       createCampaignMember({
         campaignId: campaign._id,
@@ -127,7 +134,7 @@ describe('PeopleTab', () => {
     )
 
     expect(screen.getByTestId('invite-link-section')).toHaveTextContent(
-      `${import.meta.env.VITE_SITE_URL}/join/testdm/${campaign.slug}`,
+      `https://example.test/join/testdm/${campaign.slug}`,
     )
     expect(screen.getByTestId('members-section')).toBeInTheDocument()
     expect(screen.getByTestId('pending-requests-section')).toBeInTheDocument()