Fix security and quality issues from code review

Critical: Add company scoping to line item update/delete and note delete via ownership verification through ticket join. Add companyId validation to signed URL file serving. High: Paginate notes list endpoint with search and sort support. Fix blob URL memory leaks in AuthImage components with proper cleanup on unmount. Improve photo upload error handling — count failures and show specific error count instead of silently clearing form.
2026-03-29 12:16:17 -05:00
parent 21ef7e7059
commit 72d0ff0a33
7 changed files with 89 additions and 24 deletions
--- a/packages/admin/src/components/repairs/ticket-photos.tsx
+++ b/packages/admin/src/components/repairs/ticket-photos.tsx
@@ -13,6 +13,7 @@ function AuthImage({ path, alt, className, onClick }: { path: string; alt: strin

  useEffect(() => {
    let cancelled = false
+    let blobUrl: string | null = null
    async function load() {
      try {
        const res = await fetch(`/v1/files/serve/${path}`, {
@@ -20,11 +21,17 @@ function AuthImage({ path, alt, className, onClick }: { path: string; alt: strin
        })
        if (!res.ok || cancelled) return
        const blob = await res.blob()
-        if (!cancelled) setSrc(URL.createObjectURL(blob))
+        if (!cancelled) {
+          blobUrl = URL.createObjectURL(blob)
+          setSrc(blobUrl)
+        }
      } catch { /* ignore */ }
    }
    load()
-    return () => { cancelled = true }
+    return () => {
+      cancelled = true
+      if (blobUrl) URL.revokeObjectURL(blobUrl)
+    }
  }, [path, token])

  if (!src) return <div className={`${className} bg-muted animate-pulse`} />