Fix permission form group toggle broken by Alpine CSP build#77
Fix permission form group toggle broken by Alpine CSP build#77
Conversation
The @change="setTarget('group')" event handler passed an argument, which is an inline expression unsupported by @alpinejs/csp. This caused the user/group radio toggle to silently fail — clicking "Group" never updated Alpine state, so the group <select> stayed hidden and users saw only the username field. Replace the single setTarget(value) method with separate setUser() and setGroup() methods so event handlers are simple method references. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add explicit guidance that event handlers must not pass arguments (e.g., @click="doThing('arg')") since the CSP build only supports simple method references. This was the root cause of the permission form bug. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — clean, minimal fix for the Alpine CSP argument-passing limitation.
Extended reasoning...
Overview
Touches three files: the JS component (alpine-components.js), its corresponding template (_permission_form.html), and CLAUDE.md. The change replaces a single parameterized setTarget(value) method with two no-argument methods (setUser / setGroup), then updates the template event bindings accordingly.
Security Risks
None. This is a UI-only fix with no auth, data-access, or server-side changes. The Alpine state only controls which form field is visible — the server validates the submitted form independently.
Level of Scrutiny
Low. The pattern being applied (feedbackTabs already uses setComment / setPropose in the same file) is already established in the codebase. The fix is a direct translation of the broken parameterized call into the idiomatic CSP-safe form.
Other Factors
No bugs were found. The CLAUDE.md addition codifies the rule to prevent recurrence. The changes are self-contained, reversible, and touch no shared infrastructure.
1 participant
Fixes
This fixes the bug where selecting the "Group" radio button on the directory/page permissions form had no effect — the group dropdown stayed hidden and only the "Username" input was visible, making it impossible to grant group permissions.
Summary
The
@change="setTarget('group')"event handler passed an argument, which is an inline expression unsupported by@alpinejs/csp. This caused the Alpine state to never update when clicking the radio buttons.Fix: Replace the single
setTarget(value)method with separatesetUser()/setGroup()methods so event handlers are simple method references (@change="setGroup"), which the CSP build supports.Also adds an explicit rule to CLAUDE.md documenting that event handlers must never pass arguments in the CSP build, to prevent this class of bug in the future.
Deployment
This PR should:
skip-deploy(skips everything below)skip-web-deployskip-daemon-deploy