From acf8f9f4da5db4d1c40b3d1d5f08b1e1aafbd7c2 Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Tue, 31 Mar 2026 10:49:23 -0600 Subject: [PATCH] fix: replace inline onclick handlers blocked by CSP with event delegation The Content-Security-Policy header (default-src 'self') blocked inline onclick attributes, silently preventing the Edit and Delete buttons in the user management modal from firing. Replaced with data-id attributes and a delegated click listener on the users-list container. --- public/js/app.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/public/js/app.js b/public/js/app.js index b0d99ec..b8d832b 100644 --- a/public/js/app.js +++ b/public/js/app.js @@ -209,8 +209,8 @@ function renderUsersList() { ${roleBadge(u.role)} ${accountsLabel} - - ${!isSelf ? `` : ''} + + ${!isSelf ? `` : ''} `; }).join('')} @@ -1798,6 +1798,12 @@ async function init() { document.getElementById('btn-users').addEventListener('click', openUsersModal); document.getElementById('btn-close-users').addEventListener('click', closeUsersModal); document.getElementById('users-overlay').addEventListener('click', closeUsersModal); + document.getElementById('users-list').addEventListener('click', e => { + const editBtn = e.target.closest('.user-btn-edit'); + const deleteBtn = e.target.closest('.user-btn-delete'); + if (editBtn) startUserEdit(parseInt(editBtn.dataset.id, 10)); + if (deleteBtn) deleteUser(parseInt(deleteBtn.dataset.id, 10)); + }); document.getElementById('btn-save-user').addEventListener('click', saveUser); document.getElementById('btn-cancel-user-edit').addEventListener('click', cancelUserEdit); document.getElementById('uf-role').addEventListener('change', renderUfAccountCheckboxes);