Fix E2E test failures and hide banned users' posts from feeds

NiallJoeMaher · claude · NiallJoeMaher · commit d4e0592b2268 · 2026-03-09T15:09:51.000Z
Fix editor "Saved" indicator for new posts by setting savedTime in the
CREATE branch. Add test.slow() for Firefox publish test timeout. Replace
force-click bookmark buttons with proper TRPC mutation response waits.

Hide banned users' posts by updating status to draft on ban and restoring
on unban. Add defense-in-depth LEFT JOIN on banned_users to post and feed
query endpoints.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/app/(editor)/create/[[...paramsArr]]/_client.tsx b/app/(editor)/create/[[...paramsArr]]/_client.tsx
@@ -243,6 +243,12 @@ const CreateContent = ({ session }: { session: Session | null }) => {
         published: false,
       });
       setUnsavedChanges(false);
+      setSavedTime(
+        new Date().toLocaleString(undefined, {
+          dateStyle: "medium",
+          timeStyle: "short",
+        }),
+      );
       return result.id;
     } else {
       await save({
diff --git a/e2e/articles.spec.ts b/e2e/articles.spec.ts
@@ -189,6 +189,7 @@ test.describe("Authenticated Feed Page (Articles)", () => {
   });
 
   test("Should write and publish an article", async ({ page, isMobile }) => {
+    test.slow();
     const articleTitle = "Lorem Ipsum";
     await page.goto("http://localhost:3000");
     // Waits for articles to be loaded
@@ -349,15 +350,21 @@ test.describe("Authenticated Feed Page (Articles)", () => {
     if (isSaved) {
       // Article is already bookmarked - unbookmark then rebookmark to test the flow
       await savedButton.scrollIntoViewIfNeeded();
-      await savedButton.click({ force: true });
+      await Promise.all([
+        page.waitForResponse(resp => resp.url().includes('trpc') && resp.url().includes('bookmark')),
+        savedButton.click(),
+      ]);
       await expect(saveButton).toBeVisible({ timeout: 15000 });
     }
 
     // Now bookmark the article
     await expect(saveButton).toBeVisible({ timeout: 15000 });
     await expect(saveButton).toBeEnabled({ timeout: 5000 });
     await saveButton.scrollIntoViewIfNeeded();
-    await saveButton.click({ force: true });
+    await Promise.all([
+      page.waitForResponse(resp => resp.url().includes('trpc') && resp.url().includes('bookmark')),
+      saveButton.click(),
+    ]);
 
     // Wait for button text to change to "Saved" after React state update
     await expect(savedButton).toBeVisible({ timeout: 30000 });
diff --git a/e2e/saved.spec.ts b/e2e/saved.spec.ts
@@ -51,14 +51,20 @@ test.describe("Authenticated Saved Page", () => {
     const isSaved = await savedButton.isVisible().catch(() => false);
     if (isSaved) {
       await savedButton.scrollIntoViewIfNeeded();
-      await savedButton.click({ force: true });
+      await Promise.all([
+        page.waitForResponse(resp => resp.url().includes('trpc') && resp.url().includes('bookmark')),
+        savedButton.click(),
+      ]);
       await expect(saveButton).toBeVisible({ timeout: 10000 });
     }
 
     // Now bookmark it
     await expect(saveButton).toBeVisible({ timeout: 15000 });
     await saveButton.scrollIntoViewIfNeeded();
-    await saveButton.click({ force: true });
+    await Promise.all([
+      page.waitForResponse(resp => resp.url().includes('trpc') && resp.url().includes('bookmark')),
+      saveButton.click(),
+    ]);
 
     // Wait for the saved state to appear - this confirms the bookmark mutation succeeded
     await expect(savedButton).toBeVisible({ timeout: 15000 });
diff --git a/server/api/router/admin.ts b/server/api/router/admin.ts
@@ -11,7 +11,7 @@ import {
   content_report,
   feed_sources,
 } from "@/server/db/schema";
-import { and, count, desc, eq, sql } from "drizzle-orm";
+import { and, count, desc, eq, isNotNull, sql } from "drizzle-orm";
 
 export const adminRouter = createTRPCRouter({
   // Get dashboard stats
@@ -166,6 +166,12 @@ export const adminRouter = createTRPCRouter({
 
       await ctx.db.delete(session).where(eq(session.userId, userId));
 
+      // Hide all published posts by the banned user
+      await ctx.db
+        .update(posts)
+        .set({ status: "draft" })
+        .where(and(eq(posts.authorId, userId), eq(posts.status, "published")));
+
       return { banned: true };
     }),
   unban: adminOnlyProcedure
@@ -175,6 +181,18 @@ export const adminRouter = createTRPCRouter({
 
       await ctx.db.delete(banned_users).where(eq(banned_users.userId, userId));
 
+      // Restore posts that were previously published (have publishedAt set)
+      await ctx.db
+        .update(posts)
+        .set({ status: "published" })
+        .where(
+          and(
+            eq(posts.authorId, userId),
+            eq(posts.status, "draft"),
+            isNotNull(posts.publishedAt),
+          ),
+        );
+
       return { unbanned: true };
     }),
 });
diff --git a/server/api/router/feed.ts b/server/api/router/feed.ts
@@ -30,6 +30,7 @@ import {
   feed_sources,
   tag,
   post_tags,
+  banned_users,
 } from "@/server/db/schema";
 import {
   and,
@@ -40,6 +41,7 @@ import {
   lt,
   sql,
   isNotNull,
+  isNull,
   count,
 } from "drizzle-orm";
 import { increment } from "./utils";
@@ -156,11 +158,18 @@ export const feedRouter = createTRPCRouter({
         ) as typeof query;
       }
 
+      // Add banned users join for defense-in-depth filtering
+      query = query.leftJoin(
+        banned_users,
+        eq(posts.authorId, banned_users.userId),
+      ) as typeof query;
+
       // Build where conditions - only link type posts with sources
       const whereConditions = [
         eq(posts.type, "link"),
         eq(posts.status, "published"),
         isNotNull(posts.sourceId),
+        isNull(banned_users.userId),
         category ? eq(feed_sources.category, category) : undefined,
         cursorCondition,
       ].filter(Boolean);
@@ -784,10 +793,17 @@ export const feedRouter = createTRPCRouter({
         ) as typeof query;
       }
 
+      // Add banned users join for defense-in-depth filtering
+      query = query.leftJoin(
+        banned_users,
+        eq(posts.authorId, banned_users.userId),
+      ) as typeof query;
+
       // Build where conditions
       const whereConditions = [
         eq(posts.sourceId, source.id),
         eq(posts.status, "published"),
+        isNull(banned_users.userId),
         cursorCondition,
       ].filter(Boolean);
 
diff --git a/server/api/router/post.ts b/server/api/router/post.ts
@@ -27,6 +27,7 @@ import {
   comments,
   tag,
   user,
+  banned_users,
 } from "@/server/db/schema";
 import {
   and,
@@ -100,7 +101,10 @@ export const postRouter = createTRPCRouter({
       const scoreExpr = sql<number>`(${posts.upvotesCount} - ${posts.downvotesCount})`;
 
       // Build conditions
-      const conditions = [eq(posts.status, "published")];
+      const conditions = [
+        eq(posts.status, "published"),
+        isNull(banned_users.userId),
+      ];
 
       if (type) {
         conditions.push(eq(posts.type, type));
@@ -196,6 +200,7 @@ export const postRouter = createTRPCRouter({
           .from(posts)
           .leftJoin(feedSources, eq(posts.sourceId, feedSources.id))
           .leftJoin(user, eq(posts.authorId, user.id))
+          .leftJoin(banned_users, eq(posts.authorId, banned_users.userId))
           .leftJoin(userVotesSubquery, eq(posts.id, userVotesSubquery.postId))
           .leftJoin(
             userBookmarksSubquery,
@@ -244,6 +249,7 @@ export const postRouter = createTRPCRouter({
           .from(posts)
           .leftJoin(feedSources, eq(posts.sourceId, feedSources.id))
           .leftJoin(user, eq(posts.authorId, user.id))
+          .leftJoin(banned_users, eq(posts.authorId, banned_users.userId))
           .where(and(...conditions))
           .orderBy(orderBy)
           .limit(limit + 1);
