Skip to content

fix(web): pin/unpin requests send X-OpenForge-UI header#95

Merged
github-actions[bot] merged 3 commits into
mainfrom
fix/thread-pin-ui-header
Jun 14, 2026
Merged

fix(web): pin/unpin requests send X-OpenForge-UI header#95
github-actions[bot] merged 3 commits into
mainfrom
fix/thread-pin-ui-header

Conversation

@SymbolStar

Copy link
Copy Markdown
Owner

Bug

Scott reported: thread message 页面中 file pin to top 不 work.

Root cause

_pinRef / _unpinRef in web/app.js use bare fetch() instead of apiJson(), so they never send the X-OpenForge-UI: 1 header. The server's _resolve_speaker guard treats actor='scott' without that header as a spoofing attempt and returns 403:

{"error": "posting as 'scott' is reserved for the OpenForge UI; agents must use their own agent id as speaker"}

UI catches the !ok and shows a generic pin 失败 toast.

Fix

Add X-OpenForge-UI: 1 to both the POST (pin) and DELETE (unpin) calls. Matches the pattern in apiJson() and other UI mutating calls.

Verify

# before (no header) → 403
curl -sX POST .../pinned-refs -H 'Content-Type: application/json' -d '{"ref_id":"ref_X","actor":"scott"}'
# {"error": "posting as 'scott' is reserved ..."}

# with header → 201
curl -sX POST .../pinned-refs -H 'Content-Type: application/json' -H 'X-OpenForge-UI: 1' -d '{"ref_id":"ref_X","actor":"scott"}'
# {"thread_id": "...", "pinned_ref": {...}, "pinned_refs": [...]}

Reproduced & verified against the running 7878 server.

The pin-to-top context menu fired bare fetch() without the UI marker, so
the server's speaker spoofing guard rejected actor='scott' with 403 and
the UI silently failed with a 'pin 失败' toast. Both _pinRef and _unpinRef
now include X-OpenForge-UI: 1, matching apiJson() and the other mutating
UI calls.
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

🤖 bot-review (comment-only · phase 1)

Diff: 1 file changed, 2 insertions(+), 2 deletions(-) @ af8af4c

Red-line checks:

  • ✅ A-7.5: no new 'forbidden' code in xiaof

Phase 2: auto-approve + auto-merge fire only when red-lines are clean, author is internal, and no needs-human path is touched. Block with no-auto-merge label or [no-auto-merge] in title.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Auto-approved by bot-review: red-line checks clean, internal author, no needs-human paths.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Auto-approved by bot-review: red-line checks clean, internal author, no needs-human paths.

@github-actions github-actions Bot merged commit 6aa7e6a into main Jun 14, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant