Improve PDF rendering and access control for notes
Address issues with Arabic text rendering in PDFs and adjust access control for note sharing. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 616f5bca-46d2-4c5f-acc3-689cf0e525e0 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/4ugHzxo Replit-Helium-Checkpoint-Created: true
This commit is contained in:
@@ -435,7 +435,11 @@ test("recipient cannot PATCH the sender's note body", async () => {
|
||||
method: "PATCH",
|
||||
body: JSON.stringify({ title: "HACKED" }),
|
||||
});
|
||||
assert.equal(res.status, 404, "recipient PATCH must be denied");
|
||||
// The notes PATCH route uses a two-step lookup so non-owners get a
|
||||
// precise 403 (instead of an ambiguous 404). A recipient already
|
||||
// knows the note exists — they received it — so hiding existence
|
||||
// would leak nothing. 403 is the correct deny status here.
|
||||
assert.equal(res.status, 403, "recipient PATCH must be denied");
|
||||
|
||||
const { rows } = await pool.query(`SELECT title FROM notes WHERE id = $1`, [note.id]);
|
||||
assert.equal(rows[0].title, "Untouched", "sender's note body must be unchanged");
|
||||
|
||||
Reference in New Issue
Block a user