fix(web): pin/unpin requests send X-OpenForge-UI header#95
Merged
Conversation
The pin-to-top context menu fired bare fetch() without the UI marker, so the server's speaker spoofing guard rejected actor='scott' with 403 and the UI silently failed with a 'pin 失败' toast. Both _pinRef and _unpinRef now include X-OpenForge-UI: 1, matching apiJson() and the other mutating UI calls.
🤖 bot-review (comment-only · phase 1)Diff: Red-line checks:
Phase 2: auto-approve + auto-merge fire only when red-lines are clean, author is internal, and no needs-human path is touched. Block with |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
Scott reported: thread message 页面中 file pin to top 不 work.
Root cause
_pinRef/_unpinRefinweb/app.jsuse barefetch()instead ofapiJson(), so they never send theX-OpenForge-UI: 1header. The server's_resolve_speakerguard treatsactor='scott'without that header as a spoofing attempt and returns 403:UI catches the !ok and shows a generic
pin 失败toast.Fix
Add
X-OpenForge-UI: 1to both the POST (pin) and DELETE (unpin) calls. Matches the pattern inapiJson()and other UI mutating calls.Verify
Reproduced & verified against the running 7878 server.