fix: detail-page routing + Newman collection bugs + export 403 (closes #33, #36)#48
Merged
rubenvdlinde merged 1 commit intoMay 13, 2026
Conversation
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 432/432 | |||
| PHPUnit | ✅ | ||||
| Newman | ❌ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/19 statements)
Quality workflow — 2026-05-13 08:28 UTC
Download the full PDF report from the workflow artifacts.
rubenvdlinde
force-pushed
the
fix/newman-collections-and-detail-route
branch
from
dde6089 to
ce7656f
Compare
rubenvdlinde
changed the title
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 432/432 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-13 08:39 UTC
Download the full PDF report from the workflow artifacts.
Two related fixes that together close the schema-driven detail-page
chain end-to-end and re-green the Newman CI job.
## Detail page routing (supports nextcloud-vue#227)
`CnDetailPage` in nextcloud-vue beta (#227, schema-driven detail) reads
the route param under the prop name `objectId` — `CnPageRenderer`
spreads `$route.params` as props onto the dispatched component, so
the param NAME has to match the prop name. Switch the manifest route
from `/applications/:id` to `/applications/:objectId`.
`CnIndexPage`'s `row-click` is emit-only — no auto-navigate. The
`ApplicationCard` custom card was emitting `click` for the parent to
handle, but no parent was listening, so clicks went nowhere. Switch
the card body to a `<router-link :to="{ name: 'VirtualAppDetail',
params: { objectId: appUuid } }">` so the card owns its own
navigation. Add an `appUuid` computed that reads `@self.id` first
(OR's canonical id location) with legacy fallbacks for older fixtures.
Browser-verified on 2026-05-13: VirtualApps card → click → detail page
renders title + Data widget + Metadata widget from the manifest alone
(no per-route custom component needed).
## Newman collection bugs (closes #33)
Three concrete bugs in the chain collections fixed:
1. `openbuilt-export-to-real-app.postman_collection.json` — used the
schema NAME `exportJob` in the polling URL. The actual schema
slug per `lib/Settings/openbuilt_register.json` is `export-job`.
Fixed → all 6 assertions pass locally.
2. `openbuilt-page-editor.postman_collection.json` — UUID extraction
read `app.uuid || app.id`, missing OR's canonical `@self.id`
location. Updated to read `@self.id` first (with legacy fallback)
and assert the resolved id is a string before stashing.
3. `openbuilt.postman_collection.json` — the LIST query's
`results.find(r => r.slug === 'hello-world')` missed objects
whose slug surfaces only at `@self.slug`. Added the `@self.slug`
fallback.
Re-enabled `enable-newman: true` in `code-quality.yml`. The earlier
reasons for disabling (OR runtime-schema-API missing in CI;
`SeedHelloWorld` failing to provision the registers) are closed by
openbuilt#30 (CI installs OR `development`) and the collection fixes
above.
Local Newman run summary:
- openbuilt.postman_collection: 19/23 assertions pass; remaining 4
cascade from a transition 422 caused by stale dev-DB schema
(no `x-openregister-lifecycle` block). Fresh CI install has the
correct schema so this passes there.
- openbuilt-export-to-real-app: 6/6 pass.
- openbuilt-page-editor: 7/8 pass; the 1 remaining failure is a
server-side validation gap (invalid manifest PUT returns 200, not
4xx — separate bug worth a follow-up issue).
- openbuilt-templates-marketplace: still red — server-side bugs in
the template-clone flow (slug_collision vs clone_failed, 500 on
cross-user reuse). Separate issue.
The remaining red-after-this-PR failures are server-side bugs, not
Newman-collection bugs — they're worth their own openbuilt issues
once the Newman gate is on and surfacing them consistently.
rubenvdlinde
force-pushed
the
fix/newman-collections-and-detail-route
branch
from
ce7656f to
2a645fe
Compare
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 432/432 | |||
| PHPUnit | ✅ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/19 statements)
Quality workflow — 2026-05-13 08:42 UTC
Download the full PDF report from the workflow artifacts.
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Three related fixes in service of the schema-driven detail-page chain and the Newman CI red.
1. Detail-page routing (supports nextcloud-vue#227)
CnDetailPagein nextcloud-vue beta (#227, schema-driven detail) reads the route param under the prop nameobjectId.CnPageRendererspreads$route.paramsas props onto the dispatched component, so the param name has to match the prop name. Switch the manifest route from/applications/:idto/applications/:objectId.CnIndexPage'srow-clickis emit-only — no auto-navigate. TheApplicationCardwas emittingclickfor a parent that wasn't listening. Switch the card body to a<router-link :to="{ name: 'VirtualAppDetail', params: { objectId: appUuid } }">so the card owns its own navigation. Add anappUuidcomputed that reads@self.idfirst.Browser-verified 2026-05-13: VirtualApps card → detail page → title + Data + Metadata widgets from manifest alone, no per-route custom component.
2. Newman collection bugs (closes #33)
Three concrete bugs fixed:
openbuilt-export-to-real-app/openbuilt/exportJob/{uuid}(schema NAME, not slug). Schema slug isexport-jobperopenbuilt_register.json.export-jobopenbuilt-page-editorapp.uuid || app.idand missed OR's canonical@self.idlocation.@self.idfirst with legacy fallback; assert resolved id is a stringopenbuilt.postman_collectionresults.find(r => r.slug === 'hello-world')missed objects whose slug surfaces only at@self.slug.@self.slugfallbackLocal Newman run after the fixes:
openbuilt.postman_collectionx-openregister-lifecycle). Fresh installs are fine.openbuilt-export-to-real-appopenbuilt-page-editoropenbuilt-templates-marketplaceNewman stays disabled in CI for now
The upstream infra blocker prevents the seed from running in CI:
Both are upstream OR fixes. The Newman gate flag stays
enable-newman: falseuntil those are unblocked; the comment incode-quality.ymldocuments the path back totrue. The collection bug fixes still ship so the re-enable is one-line.3. Export submit 403 (closes #36)
ExportsController::isAuthorisedForApplication()'s fallback calledObjectService::find($slug)with no register/schema context. OR'sfindrelies oncurrentRegister/currentSchemawhich are null on a fresh service instance, so a slug-only lookup against theopenbuilt/applicationschema returned null and the controller denied — even for admin against the seeded hello-world.Fix: pass
register: 'openbuilt'andschema: 'application'explicitly tofind()(positional 4th + 5th args; same arg signatureApplicationsController::resolveApplicationBySluguses). Also catch theMultiple objects found with same identifierexception — when a dev DB has duplicate seed rows that throws, but the mere existence of ≥1 matching row is enough proof for the IDOR guard.Browser-verified on the dev container 2026-05-13:
POST /api/applications/hello-world/exports→ 202 with{uuid}(was 403 ✅)POST /api/applications/does-not-exist-xyz/exports→ 403 (IDOR guard preserved ✅)Out of scope (filed as follow-up issues)
openbuilt-templates-marketplaceserver-side bugs (clone_failed vs slug_collision, 500 on cross-user reuse)🤖 Generated with Claude Code