Add edit functionality for notes #101
Conversation
|
@postmodern take a look at it please and let me know if you like it or what would you change. Code is not fully completed, I'll have to "refactor" it a bit later. |
There was a problem hiding this comment.
Needs HTML escaping in the views, especially on note.body; or we should render note.body as markdown. Also should add hattr to all emitted attributes in the views, "just to be safe". I'm strongly against pulling in any external JavaScript assets, especially fonts, and prefer we just use the user's browser's default font.
views/_notes.erb
Outdated
| <div class="control"> | ||
| <div class="media-content"> | ||
| <div class="field mb-0 p-2"> | ||
| <textarea id="note-edit-textarea-<%= note.id %>" class="textarea" name="body" placeholder="Edit a note..."><%= note.body %></textarea> |
There was a problem hiding this comment.
Needs h HTML escaping, or we need to render the note body as markdown and inline the primitive HTML.
views/_notes.erb
Outdated
|
|
||
| <div class="field is-flex is-justify-content-flex-end px-2 pb-2"> | ||
| <button class="edit-note button is-small is-danger mr-2" data-note-id=<%= note.id %>>Discard</button> | ||
| <button class="update-note button is-small is-primary" data-note-id=<%= note.id %> data-note-body=<%= note.body %>>Save</button> |
There was a problem hiding this comment.
Attributes need hattr escaping.
views/_notes.erb
Outdated
|
|
||
| <div class="columns is-full"> | ||
| <div class="column"> | ||
| <div id="note-edit-body-<%= note.id %>" class="mb-0 p-4"><%= note.body %></div> |
There was a problem hiding this comment.
Needs h HTML escaping on note.body, or we should render it as markdown.
views/_notes.erb
Outdated
| <div class="box p-0" style="border: 1px solid #1c1c39"> | ||
| <div class="columns m-0 p-1" style="background-color: #1c1c39"> | ||
| <div class="column is-half px-3 py-0"> | ||
| <small class="is-size-7">Created at: <%= note.created_at %></small> |
There was a problem hiding this comment.
Probably safe, but I'd escape the timestamp using h just to be safe.
views/_notes.erb
Outdated
| <div class="dropdown-menu" id="dropdown-menu6" role="menu"> | ||
| <div class="dropdown-content"> | ||
| <a class="dropdown-item py-2 edit-note" data-note-id=<%= note.id %>>Edit</a> | ||
| <a class="dropdown-item py-2 delete-note has-text-danger" data-note-id=<%= note.id %>>Delete</a> |
There was a problem hiding this comment.
Probably a good idea to escape note.id with hattr just to be safe, and that it doesn't trigger false positives on some security scan.
views/_notes.erb
Outdated
|
|
||
| <div class="columns is-full"> | ||
| <div class="column"> | ||
| <div id="note-edit-body-<%= note.id %>" class="mb-0 p-4"><%= note.body %></div> |
There was a problem hiding this comment.
Probably a good idea to escape note.id with hattr just to be safe, and that it doesn't trigger false positives on some security scan.
views/_notes.erb
Outdated
| <div class="column"> | ||
| <div id="note-edit-body-<%= note.id %>" class="mb-0 p-4"><%= note.body %></div> | ||
|
|
||
| <div id="note-edit-form-<%= note.id %>" style="display: none"> |
There was a problem hiding this comment.
Probably a good idea to escape note.id with hattr just to be safe, and that it doesn't trigger false positives on some security scan.
views/_notes.erb
Outdated
| <div class="control"> | ||
| <div class="media-content"> | ||
| <div class="field mb-0 p-2"> | ||
| <textarea id="note-edit-textarea-<%= note.id %>" class="textarea" name="body" placeholder="Edit a note..."><%= note.body %></textarea> |
There was a problem hiding this comment.
Probably a good idea to escape note.id with hattr just to be safe, and that it doesn't trigger false positives on some security scan.
views/layout.erb
Outdated
| @@ -8,6 +8,7 @@ | |||
| <link rel="stylesheet" type="text/css" media="screen" href="/stylesheets/bulma.min.css" /> | |||
| <link rel="stylesheet" type="text/css" media="screen" href="/stylesheets/app.css" /> | |||
| <script type="text/javascript" src="/javascript/app.js"></script> | |||
| <script defer src="https://use.fontawesome.com/releases/v5.3.1/js/all.js"></script> | |||
There was a problem hiding this comment.
Let's not add a font just yet and use the browser's default font, especially not some external JavaScript asset font. The whole app should be able to load and run without an internet connection.
app/db.rb
Outdated
| put "/db/notes/:id" do | ||
| @record = Ronin::DB::Note.find_by(params[:id]) | ||
|
|
||
| unless @record || @record.update(params) |
There was a problem hiding this comment.
I would return a different error code if the update fails, like 400 (Bad Request).
|
Noticed that |
|
Oooh the JavaScript asset is for the icons. For SVG icons just download the desired icon files and put them into |
|
Doing a visual inspection, I think the grey text on black background for the comment header is hard to see in bright-mode. I'd use white text on a black background, or at least a brighter shade of grey. |
|
It also appears that the Delete doesn't remove the comment |
#58