feat: add search filter for items with no photo

[zebrapurring]

What type of PR is this?

• bug
• feature

What this PR does / why we need it:

Adds a new search filter for items without photos. This can be useful to locate items from the collection whose file needs to be extended with a picture.

Which issue(s) this PR fixes:

No issue

Special notes for your reviewer:

This PR also fixes a small visual inconsistency where longer filter lables are split into different lines and aligned differently from the rest of the entries.

Testing

In the Search page toggle the new checkbox Only items without photo inside Options.

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced a new filter option for items to display only those without associated photos.
  • Added a checkbox in the items page UI to toggle the photo filter.
  • Enhanced localization support by adding the filter option in multiple languages.

• Bug Fixes

  • Minor adjustments to dropdown layout and styling for better readability.

These changes improve user experience by allowing more specific item searches and enhancing the interface's usability.

[coderabbitai]

Walkthrough

This pull request introduces enhancements across multiple files to support filtering items based on their photo status. Key changes include the addition of a new onlyWithoutPhoto field in the API request structure, updates to the frontend components to incorporate this filter, and localization entries for various languages. These modifications enable users to specifically query for items that do not have associated photos, thereby improving the item management experience.

Changes

File Path	Change Summary
.vscode/settings.json	Added Go language support with default formatter and a trailing comma for JSON formatting compliance.
backend/app/api/handlers/v1/v1_ctrl_items.go	Added OnlyWithoutPhoto field in repo.ItemQuery struct; adjusted field order.
backend/internal/data/repo/repo_items.go	Added OnlyWithoutPhoto field in ItemQuery struct; updated QueryByGroup method to include filtering logic.
frontend/lib/api/classes/items.ts	Added optional property onlyWithoutPhoto to ItemsQuery type.
frontend/locales/*.json	Added "only_without_photo" key with appropriate translations in multiple localization files (ca, de, en, es, fr, it, nl, pl, ru, sl, sv, tr, zh-CN, zh-HK, zh-MO, zh-TW).
frontend/pages/items.vue	Introduced onlyWithoutPhoto query parameter; updated UI to include a checkbox for filtering items without photos.

Possibly related PRs

• Feature: improve maintenance view with new actions #246: The changes in this PR enhance the maintenance view by introducing new actions related to maintenance entries, which aligns with the overall theme of improving item management and filtering capabilities seen in the main PR.

Suggested reviewers

• tankerkiller125

---

Security Recommendations

• Ensure that input parameters, including onlyWithoutPhoto, are properly validated to prevent injection attacks or unexpected behavior.
• Review the handling of API responses to ensure that sensitive data is not inadvertently exposed, especially when filtering items.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d65958d and b193fb2.

📒 Files selected for processing (2)

• backend/app/api/handlers/v1/v1_ctrl_items.go (1 hunks)
• backend/internal/data/repo/repo_items.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• backend/app/api/handlers/v1/v1_ctrl_items.go
• backend/internal/data/repo/repo_items.go

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

frontend/pages/items.vue (1)

403-405: Consider adding ARIA attributes for better accessibility.

The checkbox implementation could benefit from additional accessibility attributes.

 <label class="label mr-auto cursor-pointer">
-  <input v-model="onlyWithoutPhoto" type="checkbox" class="toggle toggle-primary toggle-sm" />
-  <span class="label-text ml-4 text-right"> {{ $t("items.only_without_photo") }} </span>
+  <input
+    v-model="onlyWithoutPhoto"
+    type="checkbox"
+    class="toggle toggle-primary toggle-sm"
+    :aria-label="$t('items.only_without_photo')"
+  />
+  <span class="label-text ml-4 text-right" aria-hidden="true">
+    {{ $t("items.only_without_photo") }}
+  </span>
 </label>

backend/internal/data/repo/repo_items.go (1)

383-392: LGTM! Query implementation is efficient.

The filtering logic for items without photos is properly implemented using ent predicates. The query will utilize appropriate indexes through the ent framework's query builder.

Consider monitoring query performance if this filter is frequently used on large datasets. If needed, you could optimize by adding a composite index on (primary, type) columns in the attachments table.

🛑 Comments failed to post (1)

frontend/lib/api/classes/items.ts (1)

27-27: 💡 Codebase verification

Security measures need enhancement for the onlyWithoutPhoto filter

Based on the code analysis:

1. Authentication is properly implemented through token-based middleware (mwAuthToken) with role-based access control (mwRoles).
2. Parameter validation exists but is basic (simple boolean conversion).
3. No rate limiting was found in the implementation.

Security recommendations:

• Add rate limiting middleware to protect against abuse of the filtering API
• Implement input sanitization for the boolean parameter using the existing validation framework
• Consider adding logging for filter usage to detect potential abuse patterns
• Add request size limits to prevent DoS attacks through query parameter manipulation

🔗 Analysis chain

Verify security measures for the new filter.

Please ensure that appropriate security measures are in place:

1. Rate limiting for the filter API endpoint
2. Proper validation of the boolean parameter
3. Access control checks before filtering sensitive data

Let's verify the security measures:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for rate limiting middleware and access controls

# Look for rate limiting configuration
echo "Checking for rate limiting configuration..."
rg -l "rate.*limit|throttle" --type go

# Check for parameter validation
echo "Checking for parameter validation..."
ast-grep --pattern 'func $_(ItemsQuery|ItemRequest) {
  $$$
  onlyWithoutPhoto $$ {
    $$$
  }
}'

# Look for access control checks
echo "Checking for access control middleware..."
rg -l "auth.*middleware|authorize" --type go

Length of output: 610

---

Script:

#!/bin/bash
# Let's check the actual implementation of the API endpoint and middleware

# Check the API implementation for this endpoint
echo "Checking API implementation..."
rg -A 10 "onlyWithoutPhoto" 

# Check middleware implementation
echo "Checking middleware implementation..."
cat backend/app/api/middleware.go

# Check validation implementation
echo "Checking validation implementation..."
cat backend/internal/sys/validate/errors.go

# Look for rate limiting in configuration files
echo "Checking configuration files..."
fd -e yaml -e json -e toml | xargs rg "rate|limit|throttle"

Length of output: 16813

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

frontend/pages/items.vue (2)

254-254: LGTM! Consider implementing rate limiting.

The search parameter is correctly added to the API call. Consider implementing rate limiting for the search API to prevent potential DoS attacks through rapid search requests.

---

390-414: Enhance accessibility for the filter options.

While the implementation is correct, consider these accessibility improvements:

1. Add aria-label attributes to the checkboxes
2. Ensure proper keyboard navigation through the dropdown
3. Add role attributes to the dropdown elements

 <div
   tabindex="0"
-  class="dropdown-content mt-1 max-h-[80vh] w-72 -translate-x-24 overflow-auto rounded-md bg-base-100 p-4 shadow"
+  class="dropdown-content mt-1 max-h-[80vh] w-72 -translate-x-24 overflow-auto rounded-md bg-base-100 p-4 shadow"
+  role="menu"
+  aria-label="Search options"
 >
   <!-- ... -->
   <label class="label mr-auto cursor-pointer">
     <input
       v-model="onlyWithoutPhoto"
       type="checkbox"
+      aria-label="Filter items without photos"
       class="toggle toggle-primary toggle-sm"
     />
     <span class="label-text ml-4 text-right"> {{ $t("items.only_without_photo") }} </span>
   </label>
   <!-- ... -->
 </div>

🛑 Comments failed to post (1)

frontend/pages/items.vue (1)

225-225: 💡 Codebase verification

URL parameters should be properly encoded to prevent XSS

The router query parameters in items.vue are not consistently encoded. While some parts of the codebase use encodeURIComponent (e.g., in label-generator.vue and PageQRCode.vue), the query parameters in items.vue are passed directly without encoding. This could potentially lead to XSS vulnerabilities through URL manipulation.

• In items.vue, add URL encoding when setting query parameters:

  router.push({
    query: {
      ...
      q: encodeURIComponent(query.value || ""),
      onlyWithoutPhoto: onlyWithoutPhoto.value ? "true" : "false",
      ...
    }
  });

🔗 Analysis chain

LGTM! Consider URL sanitization.

The router query parameter is correctly added. For additional security, consider implementing URL sanitization for all query parameters to prevent XSS via URL manipulation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for URL sanitization implementations
rg -A 5 "sanitize|escape|encodeURI"

Length of output: 11459

---

Script:

#!/bin/bash
# Check for URL sanitization in the items.vue file
rg -A 5 "router|query|params" frontend/pages/items.vue

# Check for any existing URL sanitization utilities
fd -e ts -e js -e vue | xargs rg -l "sanitizeURL|sanitizeQuery|encodeURI"

Length of output: 3696