fix(#173): re-activate Data Custodian admin portal + navbar contrast/link fixes#174
Merged
Conversation
…ast/links
The custodian dashboard rendered but every action card 404'd, the top menu
bar was unreadable, and post-login flows broke. Root causes and fixes:
UI / navigation
- Navbar contrast: custodianHeader was navbar-dark on light amber (white-on-amber,
unreadable) -> bg-warning + data-bs-theme="light" (dark-on-amber).
- 404s: dashboard cards + nav links were host-absolute (/custodian/...), bypassing
the /DataCustodian context path -> converted to context-relative th:href=@{...},
including the head CSS/favicon links.
- Dashboard cards equal height (h-100 + flex) so "Upload Data" matches the others.
- Removed the dead "My Usage Points" nav item (customer portal not yet migrated).
Re-activated / added controllers (all GET/read-first; CRUD writes still deferred #166)
- HomeController ("/","/home"), CustodianHomeController ("/custodian"+"/custodian/home",
dashboard stat tiles), UploadController re-enabled, new OAuthTokenController
(read-only authorization-grant table) and SettingsController (read-only system info,
no DB-management actions). Normalized RetailCustomerController view names and added
edit/update/delete (password optional on edit; graceful duplicate/FK handling).
- RetailCustomerService.deleteById.
- Ported legacy portal templates to Thymeleaf + Bootstrap 5.
Security / serving
- WebSecurityCustomizer ignores static resources; explicit /css,/js,/images resource
handlers (needed because @EnableWebMvc disables Boot's defaults).
- Session/form-login chain now owns the UI surface ("/","/home"); /error permitted so
controller errors render an error page instead of a misleading 401.
- Role-aware post-login landing: custodians -> /custodian/home, others -> /.
- Logout converted to CSRF POST (Spring Security logout is POST-only).
- Thymeleaf 3.1 forbids dynamic th:on* handlers -> static onsubmit confirms.
Verified end-to-end: login, all dashboard cards/nav (200), retail-customer
create/edit/update/delete, OAuth tokens, upload, settings, customer login landing.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… test A retail customer (ROLE_USER) logging in now lands on a self-service page (/customer/authorizations) listing the third-party authorizations granted against their data, with a Revoke action per authorization, instead of the generic home page. - CustomerAuthorizationController: GET /customer[/home|/authorizations] lists the current customer's authorizations (resolved by username; @transactional + flat view records since OSIV is off); POST /customer/authorizations/{id}/revoke sets status=REVOKED, ownership-checked so a customer can only revoke their own. - Session/form-login chain now owns /customer/**; role-aware landing sends customers to /customer/authorizations (custodians still -> /custodian/home). - customerHeader nav trimmed to the one migrated page (no dead links). - New template customer/authorizations.html. - Update CustomerLoginSecurityConfigurationTest: a customer now redirects to /customer/authorizations (was the stale hard-coded /custodian/home). Full openespi-datacustodian suite: 160 tests, 0 failures. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-activates the Data Custodian admin (custodian) portal alongside the resource-server role, and fixes the navbar readability + broken navigation reported during browser testing. Closes #173.
Legacy portal templates were ported from the original
OpenESPI-DataCustodian-java(JSP) to the current Thymeleaf + Bootstrap 5 stack. All pages are GET/read-first; CRUD writes remain deferred per #166 (with the exception of retail-customer create/edit/delete, which already existed and is completed here).What was broken → fixed
custodianHeaderwasnavbar-dark(white text) on light amberbg-warning→ switched todata-bs-theme="light"(dark-on-amber)./custodian/...), bypassing the/DataCustodiancontext path → context-relativeth:href="@{...}"(incl. head CSS/favicon).@EnableWebMvcdisables Boot's static mappings and only/static,/imageswere registered → added/css,/jsresource handlers +WebSecurityCustomizerignoring static resources.<a>; Spring Security logout is POST-only → CSRF POST forms./→ 401 — root was unmapped and fell to the stateless chain → re-enabledHomeController, added/,/hometo the session chain.th:on*(delete-confirm) → staticonsubmit; duplicate-username and FK-delete now handled gracefully;/errorpermitted so real errors show an error page, not 401;RetailCustomerService.deleteByIdadded./custodian/home(custodian-only) → role-aware landing (custodians → dashboard, others →/).h-100+ flex).New/changed surface
OAuthTokenController(read-only grants table),SettingsController(read-only system info — no DB-management/reset actions), portal templates.HomeController,CustodianHomeController(+ stat tiles),UploadController.RetailCustomerController: normalized views + edit/update/delete.Verification (local sandbox, end-to-end via curl)
Login;
/,/home,/login; all custodian pages (home/retailcustomers/oauth tokens/upload/settings) → 200; retail-customer create → edit → update → delete → 302; duplicate username handled; CSS 200; logout POST → 302; customer (ROLE_USER) login →/→ 200.Notes / follow-ups
/customer/**,/RetailCustomer/**) remains disabled (out of scope).🤖 Generated with Claude Code