fix: address remaining CodeRabbit/Copilot findings on PR #3316

- Skip getMyVote API call when user is not logged in to avoid unnecessary 401s
- Use resolve() for /votes/[slug] href in dropdown to satisfy no-navigation-without-resolve
- Guard getMedianVote endpoint: require auth and verify user has voted before returning stats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: river0525

src/features/votes/components/VotableGrade.svelte

@@ -1,14 +1,15 @@
 <script lang="ts">
   import { tick } from 'svelte';
   import { enhance } from '$app/forms';
+  import { resolve } from '$app/paths';
 
   import { Dropdown, DropdownItem, DropdownDivider } from 'flowbite-svelte';
   import Check from '@lucide/svelte/icons/check';
 
   import { TaskGrade, getTaskGrade, type TaskResult } from '$lib/types/task';
   import { getTaskGradeLabel } from '$lib/utils/task';
   import { nonPendingGrades } from '$features/votes/utils/grade_options';
-  import { SIGNUP_PAGE, LOGIN_PAGE, VOTES_PAGE } from '$lib/constants/navbar-links';
+  import { SIGNUP_PAGE, LOGIN_PAGE } from '$lib/constants/navbar-links';
   import { errorMessageStore } from '$lib/stores/error_message';
 
   import GradeLabel from '$lib/components/GradeLabel.svelte';
@@ -42,7 +43,7 @@
   let votedGrade = $state<TaskGrade | null>(null);
 
   async function onTriggerClick() {
-    if (isOpening) return;
+    if (!isLoggedIn || isOpening) return;
     isOpening = true;
     try {
       const res = await fetch(
@@ -169,7 +170,9 @@
       </DropdownItem>
     {/each}
     <DropdownDivider />
-    <DropdownItem href="{VOTES_PAGE}/{taskResult.task_id}" class="rounded-md">詳細</DropdownItem>
+    <DropdownItem href={resolve('/votes/[slug]', { slug: taskResult.task_id })} class="rounded-md"
+      >詳細</DropdownItem
+    >
   </Dropdown>
 {:else}
   <Dropdown

src/routes/problems/getMedianVote/+server.ts

@@ -1,11 +1,21 @@
 import { json, type RequestHandler } from '@sveltejs/kit';
 import { getVoteStatsByTaskId } from '$features/votes/services/vote_statistics';
+import { getVoteGrade } from '$features/votes/services/vote_grade';
 
-export const GET: RequestHandler = async ({ url }) => {
+export const GET: RequestHandler = async ({ url, locals }) => {
   const taskId = url.searchParams.get('taskId');
   if (!taskId) return json({ error: 'taskId required' }, { status: 400 });
 
+  const session = await locals.auth.validate();
+  if (!session || !session.user || !session.user.userId) {
+    return json({ error: 'unauthorized' }, { status: 401 });
+  }
+
   try {
+    // Only return vote statistics to users who have already cast a vote for this task.
+    const voteRecord = await getVoteGrade(session.user.userId, taskId);
+    if (!voteRecord.voted) return json({ grade: null });
+
     const stats = await getVoteStatsByTaskId(taskId);
     if (stats && stats.grade) return json({ grade: stats.grade });
     return json({ grade: null });