Patrick Bass Area: Files, photos, gallery, ansi (audit p5) · Surface: /photos/album/{id} (album detail + lightbox) · Dimension: native-dialogs · Severity: major
Multiple native confirm()/alert() calls across the per-tile delete, lightbox delete, share-to-feed, and photo-tagging paths. All are banned by the Engineering Law and have ready replacements (App.modal.confirm for the destructive confirms, App.toast for the error notices). Native dialogs ignore the theme, are unstyled, and degrade the polished lightbox experience the rest of the file works hard to build.
Evidence
platform/templates/photos/album.php:661 `if (!confirm('Delete this photo? This removes it from the album.')) return;`; :670/:673 `alert('Could not delete the photo.')` / `alert('Network error.')`; :1131 `if (!confirm('Delete this photo? ... permanently.')) return;`; :983 `alert((d && (d.message||d.error)) || 'Could not share photo.')`; :987 `alert('Network error sharing photo.')`; :1348/:1360 tag-error `alert(...)`. App.modal.confirm + App.toast already exist (public/js/app.min.js:17, :12).Suggested fix. Swap the two delete confirm() calls for App.modal.confirm('Delete photo', '...', onConfirm). Replace every alert() with App.toast(msg, 'error'). Keep the existing fetch logic in the onConfirm callback.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
