Add inventory system for in-person hackathon#13
Draft
dropalltables wants to merge 6 commits intomainfrom
Draft
Conversation
Amp-Thread-ID: https://ampcode.com/threads/T-019d1e30-7dd6-7489-91ad-50ea8c189b8d Co-authored-by: Amp <amp@ampcode.com>
- Add visual distinction for disabled item cards (opacity, red text, "Unavailable" label) - Remove backdrop click-to-close on checkout modal to prevent accidental dismissal - Add title tooltips to truncated cart item names - Create InventoryAccessContext to share access data from layout, eliminating duplicate /api/inventory/access calls in admin layout, dashboard, and browse pages - Add relative z-10 to admin sub-tab links to fix click target overlap - Move themeColor from metadata to viewport export (Next.js deprecation fix) - Add dogfood-output to .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolve conflicts: keep both inventory and main additions for admin/dashboard layouts, middleware CSP, prisma schema (bomTax, bomShipping, deletedProjects, UserGoalPrize, DESIGN_APPROVED, REVIEWER_PAYMENT + all inventory models), and viewport export for themeColor. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Verify caller is a team member or admin before allowing member removal (previously any authenticated user could kick anyone off any team) - Exclude cancelled orders from maxPerTeam quota calculations in both item display and order validation queries - Verify SSE subscribers belong to the requested team (or are admin) to prevent cross-team event snooping Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dropalltables
changed the title
- Add input sanitization (DOMPurify) to all user-supplied fields across inventory routes (team names, locations, item names, descriptions) - Fix IDOR: require team membership/admin to add members or view team details - Fix authorization: restrict member removal to self-leave or admin only - Fix race condition: use Serializable isolation on order stock transactions - Remove email from non-admin API responses to protect minor PII - Add requireInventoryAccess() gate to items, tools, teams, orders, rentals - Validate quantity (positive int), floor (1-N range), location (max 200 chars), team name (max 100 chars), imageUrl (HTTPS-only, rejects javascript:/data:) - Add audit logging for all user actions (order place/cancel, rental create, team create/join/leave/delete/rename, member add/kick, badge assign) - Cap SSE connections (50/key, 500 total) to prevent DoS - Block team deletion when active orders or rentals exist - Fix shop purchase error re-throw that could leak internal state - Add import hardening (500 item cap, Infinity blocked, sanitized strings) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.