trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

fix: require chartId for bulk delete in annotations route (task 4.7)

Browse source 
Reject DELETE ?all=true without chartId with HTTP 400 to prevent
accidental deletion of annotations across all charts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic 2026-02-18 11:16:37 +01:00
parent aace19b7f4
commit 103bfa89cb
2 changed files with 7 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
openspec/changes/code-review-fix/tasks.md
View file

@ -32,7 +32,7 @@
- [x] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
- [x] 4.5 `[sonnet]` Add Zod schema validation to `src/app/api/patterns/detect/route.ts` (validate candles, patterns array)
- [x] 4.6 `[sonnet]` Replace `error.message` with generic `"Internal server error"` in all catch blocks across 7+ route files: `health/route.ts`, `candles/route.ts`, `annotations/route.ts`, `annotations/[id]/route.ts`, `upload/route.ts`, `export/route.ts`, `span-annotations/export/route.ts`
- [ ] 4.7 `[sonnet]` Require `chartId` for bulk delete in `src/app/api/annotations/route.ts` — reject `?all=true` without chartId with HTTP 400
- [x] 4.7 `[sonnet]` Require `chartId` for bulk delete in `src/app/api/annotations/route.ts` — reject `?all=true` without chartId with HTTP 400
- [ ] 4.8 `[sonnet]` Wrap chart cascade delete in `db.transaction()` and add `spanAnnotations` deletion in `src/app/api/charts/[id]/route.ts`
- [ ] 4.9 `[haiku]` Add `parseInt(value, 10)` with `isNaN()` guard to all routes parsing integer query params
- [ ] 4.10 `[sonnet]` Add CSV injection protection (prefix `=+@-` cells with `'`) to all export routes

10
src/app/api/annotations/route.ts
View file

@ -102,11 +102,13 @@ export async function DELETE(request: NextRequest) {
let result;
if (all === 'true') {
if (chartId) {
result = await db.delete(annotations).where(eq(annotations.chart_id, parseInt(chartId, 10))).returning();
} else {
result = await db.delete(annotations).returning();
if (!chartId) {
return NextResponse.json(
{ error: 'chartId is required for bulk delete' },
{ status: 400 }
);
}
result = await db.delete(annotations).where(eq(annotations.chart_id, parseInt(chartId, 10))).returning();
} else if (type) {
const types = type.split(',').map((t) => t.trim());
if (chartId) {