fix: use $.CSRFField in dashboard template range loop (closes #146 )

Inside the {{range .AppStats}} block, the dot context is *AppStats, not the root template data. Use $ to access the root-level CSRFField added by addGlobals.
test: add failing test for CSRFField in dashboard template with apps
2026-02-26 02:55:53 -08:00 · 2026-02-26 02:55:37 -08:00
2 changed files with 20 additions and 1 deletions
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -404,6 +404,25 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
+
+	t.Run("renders dashboard with apps without CSRFField error", func(t *testing.T) {
+		t.Parallel()
+
+		testCtx := setupTestHandlers(t)
+
+		// Create an app so the range loop in dashboard.html executes,
+		// which triggers .CSRFField access on each AppStats item.
+		createTestApp(t, testCtx, "csrf-test-app")
+
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+		recorder := httptest.NewRecorder()
+
+		handler := testCtx.handlers.HandleDashboard()
+		handler.ServeHTTP(recorder, request)
+
+		assert.Equal(t, http.StatusOK, recorder.Code, "dashboard should render without template error")
+		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
+	})
 }

 func TestHandleAppNew(t *testing.T) {
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -69,7 +69,7 @@
                            <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                            <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                            <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
-                {{ .CSRFField }}
+                {{ $.CSRFField }}
                                <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                            </form>
                        </div>