security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)
Security fixes (27 vulnerabilities across 20 files): CRITICAL: - MediaManager: whitelist mediable types prevents RCE via class instantiation - MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback - ClientProjects: verify project ownership on all mutations (IDOR) - CompanyManagement: Admin role check on mount() and mutations (auth bypass) - ProjectMap: scope feature/template lookups to current project (IDOR x5) - PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR) - ProjectEditTabs: Gate::authorize on mount() and updateProject() - routes/web.php: reports routes moved inside can:manage all middleware (auth bypass) MEDIUM: - layer-manager: escapeHtml() on Leaflet popup interpolations (XSS) - MediaManager: server-side MIME validation + 50MB limit - ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added - AdminUsers/ReportsDashboard/ExportController: role/permission checks added LOW: - config/session.php: secure cookie tied to production env - OfflineSyncController: sanitize storage path (path traversal) UI integration: - project-map: Issues tab (4th) with open-count badge - project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues) - project-dashboard: action buttons for Map/Gantt/Report/Issues - project-form: validation error summary + per-field @error spans - template-manager: validation error display Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+34
-15
@@ -9,38 +9,57 @@ use Illuminate\Support\Facades\Auth;
|
||||
|
||||
class AdminUsers extends Component
|
||||
{
|
||||
public string $search = '';
|
||||
public $users;
|
||||
public $roles;
|
||||
|
||||
public function mount(): void
|
||||
public function mount()
|
||||
{
|
||||
if (!Auth::user()->hasRole('Admin')) abort(403);
|
||||
$this->roles = Role::orderBy('name')->get();
|
||||
if (!Auth::user()->hasRole('Admin')) {
|
||||
abort(403);
|
||||
}
|
||||
$this->roles = Role::all();
|
||||
$this->loadUsers();
|
||||
}
|
||||
|
||||
public function getUsersProperty()
|
||||
public function loadUsers()
|
||||
{
|
||||
return User::with('roles')
|
||||
->when($this->search, fn($q) =>
|
||||
$q->where(fn($q2) => $q2
|
||||
->where('name', 'like', '%' . $this->search . '%')
|
||||
->orWhere('email', 'like', '%' . $this->search . '%')))
|
||||
->orderBy('name')
|
||||
->get();
|
||||
$this->users = User::with('roles')->orderBy('name')->get();
|
||||
}
|
||||
|
||||
public function updateRole($userId, $roleName)
|
||||
{
|
||||
$user = Auth::user();
|
||||
if (!$user->hasRole('Admin')) {
|
||||
session()->flash('error', 'Solo administradores.');
|
||||
return;
|
||||
}
|
||||
|
||||
$targetUser = User::findOrFail($userId);
|
||||
if ($targetUser->id === $user->id && $targetUser->hasRole('Admin')) {
|
||||
session()->flash('error', 'No puedes cambiarte el rol a ti mismo.');
|
||||
return;
|
||||
}
|
||||
|
||||
$targetUser->syncRoles([$roleName]);
|
||||
$this->loadUsers();
|
||||
$this->dispatch('notify', 'Rol actualizado.');
|
||||
}
|
||||
|
||||
public function deleteUser(int $userId): void
|
||||
{
|
||||
if (!Auth::user()->hasRole('Admin')) abort(403);
|
||||
|
||||
if ($userId === Auth::id()) {
|
||||
$this->dispatch('notify', 'No puedes eliminarte a ti mismo.');
|
||||
session()->flash('error', 'No puedes eliminarte a ti mismo.');
|
||||
return;
|
||||
}
|
||||
User::findOrFail($userId)->delete();
|
||||
$this->dispatch('notify', 'Usuario eliminado.');
|
||||
session()->flash('message', 'Usuario eliminado.');
|
||||
$this->loadUsers();
|
||||
}
|
||||
|
||||
public function render()
|
||||
{
|
||||
return view('livewire.admin-users');
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user