fix(css): shelf kebab dropdown unstyled regression (bookshelf-2jxl) #314
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "bd-bookshelf-2jxl"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
.shelf-kebab-menuto the existing grouped CSS rules for the kebab dropdown panel (display:nonebase +display:block .is-open). This fixes the production regression from bd4l (#309) where the shelf dropdown was always-visible and unpositioned.e2e/browser/shelves_test.goshelf kebab tests: adds two newItblocks asserting the dropdown isdisplay:noneon initial load anddisplay:blockafter clicking the button. These assertions fail without the CSS fix and pass with it.Test plan
make test— unit tests green (no Go changes, CSS/e2e only)make e2e— new visibility assertions pass; existing kebab tests passCloses bead bookshelf-2jxl on merge.
SECURITY REVIEW — bookshelf-2jxl (PR #314)
Scope: CSS selector expansion (
static/css/main.css) + two new e2e browser assertions (e2e/browser/shelves_test.go). No Go handler, template, middleware, auth, or data-access changes.Analysis
static/css/main.css
The change groups
.shelf-kebab-menuinto the existing.library-kebab-menuhide/show rules (lines 487–503). This is a purely presentational change:.shelf-kebab-menuelement already exists in the DOM (rendered by the Stimulus controller wired in a prior PR).display: noneis the default — hiding is the secure state. Theis-openclass that reveals the menu is only applied by the Stimulus controller on an explicit user click on the kebab button, not via any URL parameter, cookie, or server-injected state.attr(),url(), orcontent:values are introduced that could serve as an injection surface.e2e/browser/shelves_test.go
Two new
Itblocks verify the hide-on-load / show-on-click behavior:loginPage(page)before touching any shelf UI — no unauthenticated surface is exercised.data-*attribute value derived from a just-created shelf ID; no user-controlled input flows into the selector string at runtime.Eventuallypolling with a 2s/50ms budget is safe; no goroutine leak or resource exhaustion possible in a test context.Findings
No security findings.
REVIEW VERDICT: 0 blocker, 0 major, 0 minor
Code Review — bookshelf-2jxl (PR #314)
Phase 0: DEMO Verification
No DEMO block in the bead. The fix is a CSS regression repair — the correct verification is the two new e2e tests. Both were inspected in the diff; CI is green (per brief).
Phase 1: Spec Compliance
Spec: group
.shelf-kebab-menuinto the existingdisplay:none/display:blockrules; add e2e assertions for hidden-by-default and shown-on-click.static/css/main.css:490—.library-kebab-menu, .shelf-kebab-menu { display: none; ... }. Comma-grouped correctly. No rule body duplication; the full shared block (position, z-index, min-width, background, border, border-radius, box-shadow, padding) is declared once.static/css/main.css:504—.library-kebab-menu.is-open, .shelf-kebab-menu.is-open { display: block; }. Correct counterpart.e2e/browser/shelves_test.go:262— "hidden on load" test: navigates to/books, callsgetComputedStyle(this).displayon.shelf-kebab-menu, expects"none". Passes only if CSS rule is present.e2e/browser/shelves_test.go:280— "visible after click" test: creates a shelf, navigates to/shelves/{id}, clicks the kebab, pollsgetComputedStylewithEventuallyuntil"block". Correctly handles CSS transition timing. Would fail without the.is-opendisplay rule.Shelf menu item buttons use
.library-kebab-menu__item(base.html:226,228,258,260) — those styles are unchanged and continue to apply.No other kebab/menu styles are touched.
Phase 2: Code Quality
One observation worth noting:
[MINOR] e2e/browser/shelves_test.go:262 — "hidden on load" test navigates to
/books, not/shelves/{id}The test uses
page.MustElement(".shelf-kebab-menu")which finds the first match anywhere in the DOM. This works (sidebar is always rendered), but is slightly asymmetric with the click test which navigates to the shelf's own page. Not a correctness issue — both routes render the sidebar containing.shelf-kebab-menu.[MINOR] e2e/browser/shelves_test.go:254-295 — new
Itblocks are not wrapped in aDescribe/ContextgroupingThe two new tests sit directly inside the outer kebab
Describealongside the older "kebab menu has Edit and Delete items"It. Convention in this file uses separateDescribeblocks per concern. Minor structural nit; no behavioral impact.REVIEW VERDICT: 0 blocker, 0 major, 2 minor