fix(avatar) : address review findings — security and UX fixes

- Use getMimeType() instead of getClientMimeType() to prevent MIME spoofing - Change IsGranted to IS_AUTHENTICATED_FULLY so ROLE_CLIENT can access avatars - Remove Groups from avatarFileName (only avatarUrl needed by frontend) - Disable aggressive caching to prevent stale avatar images - Add error handling to avatar upload in profile page - Use i18n for "Mon profil" button text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 22:02:27 +01:00
parent afd4baed92
commit a5144443a4
4 changed files with 12 additions and 9 deletions
--- a/frontend/components/ui/AppTopNav.vue
+++ b/frontend/components/ui/AppTopNav.vue
@@ -19,7 +19,7 @@
              class="block w-full px-3 py-2 text-left hover:bg-neutral-100"
              @click="navigateTo('/profile')"
            >
-              Mon profil
+              {{ $t('profile.title') }}
            </button>
            <button
              type="button"
--- a/frontend/pages/profile.vue
+++ b/frontend/pages/profile.vue
@@ -67,8 +67,12 @@ async function onCrop(blob: Blob) {
    selectedFile.value = null
    if (!auth.user) return

-    await upload(auth.user.id, blob)
-    await auth.refreshUser()
+    try {
+        await upload(auth.user.id, blob)
+        await auth.refreshUser()
+    } catch {
+        // Upload error — $fetch will throw on non-2xx
+    }
 }

 async function onRemove() {