Skip to content

feat(admin): THI-347 — supprimer un ticket support + fix THI-334 (delete policies)#374

Merged
thierryvm merged 3 commits into
mainfrom
feat/THI-347-delete-support-ticket
Jun 4, 2026
Merged

feat(admin): THI-347 — supprimer un ticket support + fix THI-334 (delete policies)#374
thierryvm merged 3 commits into
mainfrom
feat/THI-347-delete-support-ticket

Conversation

@thierryvm

Copy link
Copy Markdown
Owner

THI-347 volet 3 — Supprimer un ticket support (+ fix THI-334 racine)

Le panneau admin pouvait filtrer/changer le statut d'un ticket mais pas le supprimer (les tickets de test ne se purgeaient que par SQL → THI-334). Cette PR ajoute la suppression et fixe THI-334 à la racine.

Backend (migration 033, déjà appliquée prod)

  • Migration 029 avait déjà super_admin delete all. Il manquait user delete own → je l'ajoute. RLS OR-combine :
    • user delete own (user_id = auth.uid()) → débloque le teardown des tests d'intégration (le student supprimait ses lignes en afterAll, ça échouait silencieusement = THI-334) + droit RGPD Art. 17 (un user efface ses propres signalements).
    • super_admin delete all → purge triage (déjà présent).
  • Idempotent (drop-if-exists), anon reste revoqué.

Frontend

  • useSupportTickets.deleteTicket(id) — retrait optimiste, 42501/PGRST301 → message FR.
  • SupportTicketsSection : bouton Supprimer par ticket, confirmation inline 2 étapes (pas de dialog natif). super_admin purge spam/obsolète/test.

Tests

  • Hook : deleteTicket succès + mapping refus RLS.
  • UI : confirm 2 étapes appelle deleteTicket ; annuler non.
  • Integration (REST+JWT) : « student cannot delete » inversé → « student CAN delete own » (033) + NOUVEAU test d'isolation (un non-owner non-admin → 0 ligne). 16/16, teardown purge → fini la pollution.

Gates

supabase-backend-auditor (policy DELETE) + ui-auditor (bouton) + feature-dev:code-reviewer en cours + Voie A super_admin à suivre.

Closes THI-334 (root cause). THI-347 volet 3.

🤖 Generated with Claude Code

…I-334 root cause

Volet 3 of THI-347 (panel management completeness) + root-cause fix for THI-334
(integration tests polluting prod).

Backend (migration 033):
- migration 029 already had a `super_admin delete all` DELETE policy + grant, but
  there was NO `user delete own` policy. Add it. RLS OR-combines the two:
  - user delete own  → unblocks the support integration tests' afterAll teardown
    (student deletes its own rows; was silently failing → THI-334 pollution) AND
    gives users the RGPD Art.17 right to erase their own reports.
  - super_admin delete all → triage purge (already present, kept).
- Idempotent (drop-if-exists) so it re-applies cleanly. anon stays revoked.

Frontend:
- useSupportTickets: deleteTicket(id) — optimistic removal, 42501/PGRST301 → FR error.
- SupportTicketsSection: per-ticket "Supprimer" with a two-step inline confirm
  (no native dialog). super_admin can now purge spam/obsolete/test rows from the UI.

Tests:
- hook: deleteTicket success (optimistic) + RLS-denial mapping.
- UI: two-step confirm calls deleteTicket; cancel does not.
- integration: inverted the obsolete "student cannot delete" → "student CAN delete
  own" (033) + NEW isolation test (a non-owner non-admin gets 0 rows). 16/16, the
  teardown now purges → no more test-row pollution.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @thierryvm, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@vercel

vercel Bot commented Jun 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
terminal-learning Ready Ready Preview, Comment Jun 4, 2026 6:12pm

…ader (THI-347)

- ui-auditor W1: aria-label on the "Annuler" button (context for screen readers,
  consistent with the two other confirm buttons). Test name matcher updated.
- supabase-backend-auditor MEDIUM: the 033 header comment was factually wrong
  (said "028 no DELETE policy") — migration 029 already had super_admin-delete-all
  + grant; 033's only NEW policy is user-delete-own. Corrected the docstring.

Voie A: delete end-to-end verified (super_admin, demo ticket removed UI+DB, real
ticket intact). 28/28 tests, type-check + lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…THI-347)

- isMountedRef gates setState in updateStatus + deleteTicket so a mutation
  resolving after unmount (navigation away mid-flight) can't touch a dead instance
  — same pattern already used by ScreenshotViewer in this file.
- cross-guard: updateStatus bails if a delete is in flight and vice versa, so an
  UPDATE can't commit on a row a concurrent DELETE removed (super_admin UI).

90 support/admin tests pass, type-check + lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@thierryvm thierryvm merged commit e99c033 into main Jun 4, 2026
4 checks passed
@thierryvm thierryvm deleted the feat/THI-347-delete-support-ticket branch June 4, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant