Skip to content

fix(api/admin): dedicated users-scope toggle, data-scope UI, and API-tokens navigation#55

Open
rawand-shakir-draad wants to merge 6 commits into
feature/reporting-foundationfrom
feature/reporting-endpoints
Open

fix(api/admin): dedicated users-scope toggle, data-scope UI, and API-tokens navigation#55
rawand-shakir-draad wants to merge 6 commits into
feature/reporting-foundationfrom
feature/reporting-endpoints

Conversation

@rawand-shakir-draad

@rawand-shakir-draad rawand-shakir-draad commented Jul 6, 2026

Copy link
Copy Markdown

What

Closes out the remaining admin/security polish on top of the reporting endpoints (submissions, choice guides, anonymized users — now part of feature/reporting-foundation):

  • Dedicated users-scope toggle (fix(api)): /reports/users/anonymized and /reports/users/aggregates were gated by "any reporting component enabled", so turning on just one component (e.g. votes) silently exposed the full pseudonymized participant roster and cross-source aggregates project-wide. They now require their own dataScope.users.enabled opt-in.
  • Data-scope admin UI (feat(admin)): adds the missing "Deelnemers (geanonimiseerd)" toggle for the gate above, plus a dynamic checkbox list per project for the submissions.formFields / choiceguides.answerFields per-field opt-ins (previously only settable via the config API, no UI at all).
  • API-tokens navigation (fix(admin)): restores the API-tokens link in the project settings sidenav (the page existed and worked, but was unreachable from the UI — direct-URL only) and nests it correctly under project settings.
  • Back-button fix (fix(admin)): restores the resource detail back-navigation as a real <button> element.

Tests

NODE_CONFIG_DIR="$(pwd)/apps/api-server/config" npm run test:unit:api → all API unit tests passing (275 tests, 24 files).

Notes

  • Base = feature/reporting-foundation, not main — this stacks on the reporting foundation, which now includes the submissions, choice-guide and anonymized-user endpoints too.
  • Fork draadnl only.

@rawand-shakir-draad rawand-shakir-draad changed the title feat(api): reporting endpoints for submissions, choice guides and anonymized users (#440, #441, #442) feat(api): reporting endpoints for submissions, choice guides and anonymized users Jul 6, 2026
The back button in the project sidenav was accidentally changed to a
javascript: URI Link during an unrelated data-scope refactor, which
breaks under a strict CSP and drops normal link semantics.
…rting

/reports/users/anonymized and /reports/users/aggregates were gated by
"any reporting component enabled", so turning on just one component
(e.g. votes) silently exposed the full pseudonymized participant
roster and cross-source aggregates project-wide. They now require
their own dataScope.users.enabled opt-in.
…-ins

Two gaps in the data-scope settings page:
- No admin toggle existed for the new dataScope.users.enabled gate
  (anonymized/aggregate user reporting).
- dataScope.submissions.formFields and dataScope.choiceguides.answerFields
  had no UI at all, so that per-field opt-in could never be turned on.

Adds a "Deelnemers (geanonimiseerd)" toggle, plus a dynamic checkbox
list per project sourced from its enquete/choiceguide widgets' own
form fields.
The link to the per-project API-tokens overview page was accidentally
dropped during the data-scope refactor (46a4fa3), leaving the page
reachable only via a direct URL. Restore it and move it under
Projectinstellingen, next to Data via API, since both pages share the
same settings-route structure and access gating.
@rawand-shakir-draad
rawand-shakir-draad force-pushed the feature/reporting-foundation branch from 4584141 to 64ad01a Compare July 8, 2026 08:23
@rawand-shakir-draad
rawand-shakir-draad force-pushed the feature/reporting-endpoints branch from bfce592 to 0285f56 Compare July 8, 2026 08:23
@rawand-shakir-draad rawand-shakir-draad changed the title feat(api): reporting endpoints for submissions, choice guides and anonymized users fix(api/admin): dedicated users-scope toggle, data-scope UI, and API-tokens navigation Jul 8, 2026
Was never wired into docker-compose.yml, so pseudonymizing reporting
endpoints always 500'd locally. Follows the same pattern as HASH_IP_SALT.
… catalog

report-data-scope.js claimed status (resources/comments) and modBreak/
modBreakDatetime (comments) as safe fields, but neither model has these
attributes — always null, never filterable. Removed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant