fix(layouts): guard appshell header/footer data stores behind account_id

element_data_store fires its load trigger as soon as api_ready is true, with no check for account_id. In the IDAA iframe flow, the outer layout mounts before Novi UUID verification completes, so the footer fetch fires with no x-account-id header and gets a 403. Wrap the IDAA outer layout footer in {#if $ae_loc.account_id} so it only loads once the member's identity is established. Apply the same guard to the events layout header and footer for consistency. Journals was already safe (data stores are inside the trusted_access gate). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-19 11:17:24 -04:00
parent ccacdc3f4b
commit 8850db89c6
2 changed files with 16 additions and 10 deletions
--- a/src/routes/events/+layout.svelte
+++ b/src/routes/events/+layout.svelte
@@ -251,7 +251,7 @@ function clear_sess() {
                    class="mx-1 inline-block text-gray-500 dark:text-gray-400" />
                <abbr title="Aether - Events Module" class="text-gray-500 dark:text-gray-400 font-semibold"> Æ Events </abbr>
            </span>
-            {#if !$ae_sess?.disable_sys_header}
+            {#if !$ae_sess?.disable_sys_header && $ae_loc.account_id}
                <Element_data_store
                    ds_code="hub__site__appshell_header"
                    ds_type="html" />
@@ -364,7 +364,7 @@ function clear_sess() {
        </button>
    </div>

-    {#if !$ae_sess?.disable_sys_footer}
+    {#if !$ae_sess?.disable_sys_footer && $ae_loc.account_id}
        <footer
            class:hidden={yTop > 300}
            class:opacity-80={yTop < 250}
--- a/src/routes/idaa/+layout.svelte
+++ b/src/routes/idaa/+layout.svelte
@@ -377,14 +377,20 @@ $effect(() => {
    </section>

    <!-- The footer for the IDAA section of the site -->
-    <section
-        class="module_footer footer_content lg:text-md xl:text-md flex min-h-7 px-1 py-0.5 text-sm text-slate-400 transition hover:text-slate-800 sm:text-sm 2xl:text-lg"
-        class:ae_debug={$ae_loc?.debug}>
-        <Element_data_store
-            ds_code="hub__site__appshell_footer"
-            ds_type="html"
-            class_li="grow flex flex-row justify-between" />
-    </section>
+    <!-- WHY the account_id guard: the outer IDAA layout renders before the inner (idaa) layout
+         completes Novi UUID verification. Without it, element_data_store fires immediately with
+         no account_id in the headers → 403. The footer is IDAA-specific content so it should
+         only load once the member's identity is established. -->
+    {#if $ae_loc.account_id}
+        <section
+            class="module_footer footer_content lg:text-md xl:text-md flex min-h-7 px-1 py-0.5 text-sm text-slate-400 transition hover:text-slate-800 sm:text-sm 2xl:text-lg"
+            class:ae_debug={$ae_loc?.debug}>
+            <Element_data_store
+                ds_code="hub__site__appshell_footer"
+                ds_type="html"
+                class_li="grow flex flex-row justify-between" />
+        </section>
+    {/if}
 </div>
 <!-- </AppShell> -->