restore: bring back f8a1310 (security review) state

Restores all files to the f8a1310 security-review snapshot as requested, plus the 2 boot-critical fixes from a24c8a2 (config/session.php env() instead of app()->environment(), and removal of the duplicate $activeTab in ProjectMap.php) so the application actually boots. Forward commit, no history rewrite. The 7d854ff state remains in history. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 10:36:44 +02:00
parent c44958ac16
commit 941dbd5997
26 changed files with 1163 additions and 1196 deletions
@@ -20,10 +20,11 @@ class User extends Authenticatable
     * @var list<string>
     */
    protected $fillable = [
-        'name', 'title', 'first_name', 'last_name',
-        'email', 'password',
-        'status', 'valid_from', 'valid_until',
-        'company_id', 'phone', 'address', 'notes',
+        'name',
+        'email',
+        'password', // Intentionally kept: required for registration factory and seeding.
+                    // Sensitive — never pass unvalidated user input directly.
+                    // email_verified_at and remember_token are intentionally excluded.
    ];

    /**
@@ -45,16 +46,9 @@ class User extends Authenticatable
    {
        return [
            'email_verified_at' => 'datetime',
-            'password'          => 'hashed',
-            'valid_from'        => 'date',
-            'valid_until'       => 'date',
+            'password' => 'hashed',
        ];
    }
-
-    public function company()
-    {
-        return $this->belongsTo(\App\Models\Company::class);
-    }
    // Many-to-many with projects
    public function projects()
    {