Improve PDF rendering and access control for notes

Address issues with Arabic text rendering in PDFs and adjust access control for note sharing.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 616f5bca-46d2-4c5f-acc3-689cf0e525e0
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/4ugHzxo
Replit-Helium-Checkpoint-Created: true
This commit is contained in:
riyadhafraa
2026-05-11 18:49:10 +00:00
parent e81ba3a4b9
commit 6dc016261c
2 changed files with 93 additions and 42 deletions
@@ -435,7 +435,11 @@ test("recipient cannot PATCH the sender's note body", async () => {
method: "PATCH",
body: JSON.stringify({ title: "HACKED" }),
});
assert.equal(res.status, 404, "recipient PATCH must be denied");
// The notes PATCH route uses a two-step lookup so non-owners get a
// precise 403 (instead of an ambiguous 404). A recipient already
// knows the note exists — they received it — so hiding existence
// would leak nothing. 403 is the correct deny status here.
assert.equal(res.status, 403, "recipient PATCH must be denied");
const { rows } = await pool.query(`SELECT title FROM notes WHERE id = $1`, [note.id]);
assert.equal(rows[0].title, "Untouched", "sender's note body must be unchanged");