# CC Soccer D11 - Session Handoff **Date:** March 18, 2026 **Session:** Mobile fixes — group management, order detail, cart, nav; My Account link; order detail back button **Branch:** `main` ## Last Updated 2026-03-18 (session 5 — mobile fixes) ## Current State ### Completed this session (March 18, 2026) #### Mobile fixes — 5 issues **1. Manage Group — Pending invites table overflow** - Both `.roster-table` and `.invitations-table` now collapse to labeled card rows at ≤640px - `data-label` attributes added to all `` elements in `ccsoccer-group-manage.html.twig` - Files: `css/group-management.css`, `templates/ccsoccer-group-manage.html.twig` **2. Order detail — long product name pushes wide** - Added `overflow-wrap: break-word` + `word-break: break-word` + `min-width: 0` to `.order-information table.cols-4 td.views-field-purchased-entity` - File: `themes/ccsoccer_theme/css/user-pages.css` **3. Cart — line details push wide** - Same word-break fix on `.view-commerce-cart-form .views-form td.views-field-purchased-entity` - File: `css/checkout.css` **4. Register button invisible on mobile when on /register page** - `.is-active` class (same specificity, later in source) was winning with `background: none` - Fix: re-assert `background: var(--color-primary) !important` for both normal and `.is-active` states in mobile block - File: `themes/ccsoccer_theme/css/navigation.css` **5. My Account not tappable on mobile** - `pointer-events: none` was left on the first account menu item from desktop dropdown logic - Removed it in the mobile block - File: `themes/ccsoccer_theme/css/navigation.css` #### My Account link → /my-account - Added override at top of existing `ccsoccer_menu_links_discovered_alter()` to redirect `user.account_menu_link` from `/user/{uid}` to `ccsoccer.my_account` (`/my-account`) - File: `ccsoccer.module` #### Order detail — Back to My Orders button - `ccsoccer_preprocess_page()` injects `back_to_orders_url` variable on `entity.commerce_order.user_view` route - `page.html.twig` renders a `button--primary-soft` back link before `page.content` when variable is set - Files: `ccsoccer.module`, `themes/ccsoccer_theme/templates/page.html.twig`, `themes/ccsoccer_theme/css/user-pages.css` --- ### Completed previous session (March 16, 2026 — Andrew: security hardening) #### Available Registrations page (`/register`) — four fixes **1. Page title / section heading text** - Route title: `Register for Season` → `Available Registrations` - Section heading: `Available Seasons` → `Leagues` - Section heading: `Available Tournaments` → `Tournaments` **2. Cache tags — new seasons/tournaments now show without manual cache clear** - Root cause: cache tags were built only from already-loaded entities, so a brand-new season had no tag to trigger invalidation - Fix: added `entity_list:season` and `entity_list:tournament` to `$build['#cache']['tags']` - Drupal automatically invalidates these list tags whenever any entity of that type is created/updated/deleted **3. Empty state message** - When no seasons or tournaments are visible to the current user, shows: "There are no registrations available at this time. Check back soon!" - Filter-aware: when a filter pill (Coed / Men's / Tournaments) is active, empty state checks only the filtered available arrays — having registrations in other categories doesn't suppress the message **4. Admin eligibility bypass in `userMeetsSeasonRequirements()`** - Root cause: admins/board members without a fully completed profile (e.g. gender not set) were having men's 35+ seasons silently hidden as `ineligible` - Fix: users with `administer ccsoccer` or `manage seasons` permission now skip age/gender checks entirely - Regular players are still subject to normal eligibility filtering --- ## Files Changed This Session - `web/modules/custom/ccsoccer/ccsoccer.module` (menu link override, preprocess_page back button) - `web/modules/custom/ccsoccer/css/group-management.css` (mobile card layout) - `web/modules/custom/ccsoccer/css/checkout.css` (word-break on cart item column) - `web/modules/custom/ccsoccer/templates/ccsoccer-group-manage.html.twig` (data-label attributes) - `web/themes/custom/ccsoccer_theme/css/navigation.css` (register button active fix, pointer-events fix) - `web/themes/custom/ccsoccer_theme/css/user-pages.css` (word-break on order item column, page-back-nav) - `web/themes/custom/ccsoccer_theme/templates/page.html.twig` (back to orders button) --- ## Deploy Notes Standard deploy — no new PHP classes, no composer changes needed: ```bash cd ~/public_html/test_ccsoccer_site git pull PATH=/opt/cpanel/ea-php83/root/usr/bin:$PATH /opt/cpanel/ea-php83/root/usr/bin/php vendor/drush/drush/drush.php -r web cr ``` --- ## Remaining Work ### Page cleanup in progress - [ ] My Profile edit page — field/layout tweaks (jersey size review, width/layout) - [ ] Address book page — CSS styling - [ ] Payment methods page — CSS styling - [ ] Credits (Admin) page — dark table header needs token-based styling - [ ] Order detail page — further polish (time format, quantity shows 1.00 not 1) - [ ] Purchase Jerseys — node edit (remove duplicate h2, add jersey set description + photo) - [ ] Product catalog exploration — assess Commerce out-of-box before customizing ### Width/layout pass (batch fix) Pages that are full-width and should be ~60% constrained: - [ ] User edit form - [ ] Address book - [ ] Payment methods - [ ] Order detail (partially done — customer-information/order-information constrained) ### Button methodology pass (after all pages on custom theme) - Formalize 3-tier system: primary red / primary-soft navigation / white informational - Audit all button usages across templates and CSS files ### Content - [ ] Add description to 2026 Summer Cup tournament entity ### Inner Page Styling - [ ] Credits page (player) - [ ] Purchase Jerseys page ### Forms - [ ] Registration form inputs, buttons, visual styling ### Navigation / Mobile - [ ] Re-add Tournament Schedule to main nav ### Notifications - [ ] "Don't send to already registered" logic - [ ] Automated reminders (6/4/2/1 week intervals) ### Security Hardening (Before Production) **Completed (March 16, 2026):** - [x] Add `X-CSRF-Token` headers to all AJAX POST requests in JS files (8 files: player-skill, season-players, notification-confirm, tournament-teams, roster-builder, tournament-roster-builder, schedule-builder, tournament-schedule-builder) - [x] Add controller-level access checks to all AJAX endpoints that modify user data (8 controllers: PlayerAdminController, PlayerSkillController, TournamentTeamsController, RosterBuilderController, TournamentRosterBuilderController, ScheduleController, TournamentScheduleController, NotificationController) - [x] Replace `innerHTML` with safe DOM methods in JS files handling user-controlled data (group-management, schedule-builder, tournament-roster-builder, tournament-schedule-builder) - [x] Add rate limiting (Drupal flood control) to player-facing endpoints (GroupController: userSearch, invite, nudge) **Still needed (code fixes — future sessions):** - [ ] Remove inline JS event handler in `ReportController.php`; use Drupal behaviors *(Finding #8 — HIGH)* - [ ] Sanitize "reason" text before storage in `TournamentDepositForfeitForm.php` and `TournamentDepositRefundForm.php` *(Finding #11 — MEDIUM)* - [ ] Replace `$e->getMessage()` in JSON responses with generic error messages; log details server-side *(Finding #12 — MEDIUM)* - [ ] Standardize HTML escaping in render arrays using `Html::escape()` *(Finding #15 — MEDIUM)* - [ ] Validate entity access on `clone_from` parameter in `SeasonForm.php` and `TournamentForm.php` *(Finding #16 — LOW)* **Production deployment (do at launch):** - [ ] **Delete `ccsoccer-d11-migrated-200users.sql` from the repository** *(Finding #2 — do this now)* - [ ] Remove/rotate Authorize.net API credentials from version control; move to environment variables or `settings.local.php` config overrides *(Finding #1)* - [ ] Set a strong `hash_salt` value in production `settings.local.php` *(Finding #3)* - [ ] Disable and uninstall the Devel module for production (`drush pm:uninstall devel devel_generate`) *(Finding #9)* - [ ] Configure `trusted_host_patterns` in `settings.local.php` — do this now on test (`'^test\.ccsoccer\.com$'`), then again on production (`'^ccsoccer\.com$'`, `'^www\.ccsoccer\.com$'`) *(Finding #4)* - [ ] Verify `development.services.yml` is NOT loaded in production *(Finding #10)* - [ ] Add Content Security Policy headers (start with report-only mode) *(Finding #14)* - [ ] See `CC_Soccer_Security_Assessment_2026_03_16.md` for full details on all 16 findings ### Deployment Prep - [ ] Enable reCAPTCHA on registration form - [ ] Self-host Inter font - [ ] Enable CSS/JS aggregation on test + production before launch - [ ] Final mobile/browser testing - [ ] Remove IP whitelist block from production `.htaccess` - [ ] Decide canonical domain (www vs non-www) - [ ] Confirm HTTPS redirect handling ### Small Items - [ ] Breadcrumbs - [ ] Game status: only show ON/CANCELLED after 3pm - [ ] Contact page - [ ] Social links (placeholder #) - [ ] Hero width (full bleed) - [ ] Password reset flow for migrated users - [ ] Fix contextual theme stale database reference - [ ] Fix Commerce config import loop - [ ] CSS consolidation pass (33 CSS files — replace hardcoded hex/px with tokens) --- ## Test Server .htaccess (IP Whitelist) Not in git — protected via `skip-worktree`. If ever lost: ```apache # IP Whitelist - Test server only (DO NOT commit to git) # Caleb/Layne: 68.249.41.9 | Andrew: 35.151.50.130 | Dave: 99.8.107.54 | Haley: 97.84.70.141 Require ip 68.249.41.9 35.151.50.130 99.8.107.54 97.84.70.141 Header set X-Robots-Tag "noindex, nofollow, noarchive" ``` ```bash git update-index --skip-worktree web/.htaccess ``` --- ## Server Quick Reference ```bash cd ~/public_html/test_ccsoccer_site git pull # If new PHP classes added: PATH=/opt/cpanel/ea-php83/root/usr/bin:$PATH /opt/cpanel/ea-php83/root/usr/bin/php /opt/cpanel/composer/bin/composer dump-autoload # If composer.lock changed: PATH=/opt/cpanel/ea-php83/root/usr/bin:$PATH /opt/cpanel/ea-php83/root/usr/bin/php /opt/cpanel/composer/bin/composer install --ignore-platform-req=ext-intl # Standard post-pull: PATH=/opt/cpanel/ea-php83/root/usr/bin:$PATH /opt/cpanel/ea-php83/root/usr/bin/php vendor/drush/drush/drush.php -r web updb -y PATH=/opt/cpanel/ea-php83/root/usr/bin:$PATH /opt/cpanel/ea-php83/root/usr/bin/php vendor/drush/drush/drush.php -r web cr ``` ## Git Workflow - Always `git pull` before `git push` — Andrew may have pushed changes - `main` is the primary branch - `settings.local.php` is NOT in git — never commit it