Executive Meetings: inline editing, drag reorder, and current-meeting highlight
Implements Task #122 — four features on the Executive Meetings schedule: 1. Word-like inline editing of meeting title and attendee names with bold, italic, underline, color, font-family, font-size, and text-align controls (Tiptap-backed EditableCell + FormattingToolbar). 2. Drag-to-reorder column headers (dnd-kit), persisted in the existing em-schedule-cols-v1 storage key. Old up/down buttons removed. 3. Drag-to-reorder rows within a day. New POST /api/executive-meetings/reorder endpoint permutes daily_number + start/end times in a single transaction using a two-phase negative→final assignment that respects the (date, daily_number) UNIQUE constraint and survives partial-day reorders. Audit-logged and role-guarded. 4. Highlight the meeting whose start/end window is "now", refreshed every 60 s. Toggle and color picker live in the customize popover and persist to localStorage (em-current-meeting-highlight-v1). Backend changes - Widened titleAr / titleEn / attendees.name to text. - New artifacts/api-server/src/lib/sanitize.ts with an allowlist for inline tags + safe inline styles. Applied to POST, PATCH, PUT-attendees, duplicate, reorder, and applyApprovedRequest (add_attendee) paths so rich text round-trips safely. - Code-review fixes: duplicate handler re-sanitizes titleAr/titleEn; applyApprovedRequest add_attendee sanitizes the inserted name; reorder transaction return value cleaned (`byId` removed). - 5 new tests cover sanitization stripping, reorder happy path, cross-day rejection, permission denial, and applyApprovedRequest sanitization. Pre-existing app_permissions failures are unrelated (tracked by #126/#127). Frontend changes - artifacts/tx-os/src/components/editable-cell.tsx with FormattingToolbar (custom FontSize Tiptap extension + @tiptap/extension-text-align). - ScheduleSection wires saveTitle, saveAttendeeName, reorder mutation (optimistic with revert on error), highlight tick, and HighlightPrefs. - New SortableHeader component for column drag. - AttendeesCell passes the original attendee index to PUT writes so edits reach the right row even after grouping into virtual/internal/external. - Print page renders sanitized rich text via dangerouslySetInnerHTML on names and titles; attendee.title is rendered as a plain text node (XSS). - Translation keys added in ar.json and en.json.
This commit is contained in:
@@ -17,8 +17,12 @@ const FONT_SIZE_RE = /^(?:[8-9]|[1-9]\d)px$/;
|
||||
const COLOR_RE = /^(?:#[0-9a-f]{3}|#[0-9a-f]{6}|rgb\(\s*\d{1,3}\s*,\s*\d{1,3}\s*,\s*\d{1,3}\s*\))$/i;
|
||||
|
||||
export const RICH_TEXT_OPTIONS: sanitizeHtml.IOptions = {
|
||||
allowedTags: ["span", "strong", "b", "em", "i", "u", "br"],
|
||||
// <p> is included so Tiptap's TextAlign extension (applied to paragraph
|
||||
// nodes) can persist text-align: left/center/right via the inline style
|
||||
// allowlist below. Block tags beyond <p> stay disallowed.
|
||||
allowedTags: ["p", "span", "strong", "b", "em", "i", "u", "br"],
|
||||
allowedAttributes: {
|
||||
p: ["style"],
|
||||
span: ["style"],
|
||||
strong: ["style"],
|
||||
b: ["style"],
|
||||
|
||||
@@ -580,6 +580,29 @@ test("Sanitization: rich text strips disallowed tags but keeps inline formatting
|
||||
assert.ok(/<em[^>]*>One<\/em>/i.test(att.name), "em must survive in attendee");
|
||||
});
|
||||
|
||||
test("Sanitization: text-align on <p> survives a round-trip via PATCH/GET", async () => {
|
||||
const m = await api(adminCookie, "POST", "/api/executive-meetings", {
|
||||
titleAr: "محاذاة", titleEn: "Align", meetingDate: today,
|
||||
});
|
||||
const M = await m.json(); created.meetingIds.push(M.id);
|
||||
// Tiptap's TextAlign extension emits paragraphs like
|
||||
// <p style="text-align: right">…</p>. The sanitizer must allow that
|
||||
// structure so Word-like alignment persists.
|
||||
const html = '<p style="text-align: right">يمين</p><p style="text-align: center">center</p>';
|
||||
const patch = await api(adminCookie, "PATCH",
|
||||
`/api/executive-meetings/${M.id}`, { titleAr: html });
|
||||
assert.equal(patch.status, 200);
|
||||
const day = await api(adminCookie, "GET",
|
||||
`/api/executive-meetings?date=${today}`);
|
||||
const body = await day.json();
|
||||
const got = body.meetings.find((x) => x.id === M.id);
|
||||
assert.ok(got, "meeting must come back");
|
||||
assert.match(got.titleAr, /<p[^>]*text-align:\s*right[^>]*>يمين<\/p>/i,
|
||||
"right-aligned <p> survives sanitization");
|
||||
assert.match(got.titleAr, /<p[^>]*text-align:\s*center[^>]*>center<\/p>/i,
|
||||
"center-aligned <p> survives sanitization");
|
||||
});
|
||||
|
||||
test("Reorder: POST /reorder renumbers a full day to 1..N and inherits slot times", async () => {
|
||||
// Use a fresh future date to guarantee the reorder is full-day.
|
||||
const reorderDate = "2050-01-15";
|
||||
|
||||
Reference in New Issue
Block a user