Harden suggestion update gating and joker cap
This commit is contained in:
6
TASKS.md
6
TASKS.md
@@ -1,5 +1,5 @@
|
||||
# Findings – Pick'n'Play
|
||||
|
||||
- Non-admin suggestion edits are effectively allowed during Vote/Results: only the title is locked; other fields update (`PUT /api/suggestions/{id}` at Endpoints/SuggestEndpoints.cs:182-193). Test `Phase_gate_blocks_player_update_in_vote_phase` asserts 200 and only checks the name, so it masks the missing phase gate for non-admin updates.
|
||||
- Joker create path still enforces the 5-suggestion cap. Spec implies joker grants an extra game in Vote, but code rejects when a player already has 5 suggestions (`existingCount >= 5` even when `usingJoker`). No test covers this, so the defect would ship unnoticed.
|
||||
- Editing another player's suggestion is untested. The endpoint returns 401 for non-owners, but the suite never exercises this path, leaving a security/authorization regression risk.
|
||||
- [x] Non-admin suggestion edits now phase-gated: full edit in Suggest, title locked in Vote, no edits in Results. Updated PUT logic and expanded test to assert non-title fields edit in Vote and block in Results.
|
||||
- [x] Joker create path now allows a sixth suggestion when using a joker and blocks a seventh; added coverage for the joker bypass case.
|
||||
- [x] Editing another player's suggestion covered with 401 assertion to protect authorization regression.
|
||||
|
||||
Reference in New Issue
Block a user