javier/construprogress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

Browse Source 
Security fixes (27 vulnerabilities across 20 files):
CRITICAL:
- MediaManager: whitelist mediable types prevents RCE via class instantiation
- MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback
- ClientProjects: verify project ownership on all mutations (IDOR)
- CompanyManagement: Admin role check on mount() and mutations (auth bypass)
- ProjectMap: scope feature/template lookups to current project (IDOR x5)
- PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR)
- ProjectEditTabs: Gate::authorize on mount() and updateProject()
- routes/web.php: reports routes moved inside can:manage all middleware (auth bypass)

MEDIUM:
- layer-manager: escapeHtml() on Leaflet popup interpolations (XSS)
- MediaManager: server-side MIME validation + 50MB limit
- ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added
- AdminUsers/ReportsDashboard/ExportController: role/permission checks added

LOW:
- config/session.php: secure cookie tied to production env
- OfflineSyncController: sanitize storage path (path traversal)

UI integration:
- project-map: Issues tab (4th) with open-count badge
- project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues)
- project-dashboard: action buttons for Map/Gantt/Report/Issues
- project-form: validation error summary + per-field @error spans
- template-manager: validation error display

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Javier Braña
2026-06-16 18:25:36 +02:00
parent 7d854ffb0a
commit f8a1310c0f
26 changed files with 1166 additions and 1195 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/views/livewire/template-manager.blade.php
+38 -32
View File
@@ -1,10 +1,10 @@
<div>
<div class="bg-base-100 p-4 rounded shadow">
<div class="flex justify-between items-center mb-4">
<h2 class="text-xl font-bold">📋 {{ __('Inspection templates') }}</h2>
<h2 class="text-xl font-bold">📋 Templates de inspección</h2>
<div>
<button wire:click="newTemplate" class="btn btn-primary btn-sm">
{{ __('New template') }}
Nuevo template
</button>
</div>
</div>
@@ -21,19 +21,20 @@
{{-- Nombre del template --}}
<tr>
<td class="w-1/4 py-3 pr-4 align-top">
{{ __('Template name') }}
{{__('Template name')}}
</td>
<td class="py-3">
<input type="text" wire:model="form.name"
class="input w-full"
class="input w-full {{ $errors->has('form.name') ? 'input-error' : '' }}"
required>
@error('form.name') <span class="text-error text-xs mt-1">{{ $message }}</span> @enderror
</td>
</tr>
{{-- Descripción --}}
<tr>
<td class="w-1/4 py-3 pr-4 align-top">
{{ __('Description') }}
{{__('Descripción')}}
</td>
<td class="py-3">
<textarea wire:model="form.description" class="textarea textarea-bordered w-full" rows="2"></textarea>
@@ -43,11 +44,11 @@
{{-- Fase asociada (opcional) --}}
<tr>
<td class="w-1/4 py-3 pr-4 align-top">
{{ __('Associated phase (optional)') }}
{{__('Fase asociada (opcional)')}}
</td>
<td class="py-3">
<select wire:model="form.phase_id" class="select select-bordered w-full">
<option value="">{{ __('Global project') }}</option>
<option value="">Ninguna (global para el proyecto)</option>
@foreach($phases as $phase)
<option value="{{ $phase->id }}" {{ old('form.phase_id') == $phase->id ? 'selected' : '' }}>
{{ $phase->name }}
@@ -61,22 +62,22 @@
{{-- Campos dinámicos --}}
<div class="border-t pt-4 mt-2">
<h3 class="font-bold mb-3">{{ __('Form fields') }}</h3>
<h3 class="font-bold mb-3">Campos del formulario</h3>
@foreach($form['fields'] as $index => $field)
<div class="border p-3 rounded mb-3 bg-base-100">
{{-- Fila: nombre interno --}}
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Internal name') }}</div>
<div class="font-medium">Nombre interno</div>
<div><input type="text" wire:model="form.fields.{{ $index }}.name" placeholder="ej: altura_medida" class="input input-sm w-full"></div>
</div>
{{-- Fila: etiqueta --}}
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Visible label') }}</div>
<div class="font-medium">Etiqueta visible</div>
<div><input type="text" wire:model="form.fields.{{ $index }}.label" placeholder="ej: Altura medida (m)" class="input input-sm w-full"></div>
</div>
{{-- Fila: tipo --}}
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Field type') }}</div>
<div class="font-medium">Tipo de campo</div>
<div>
<select wire:model="form.fields.{{ $index }}.type" class="select select-sm w-full">
@foreach($fieldTypes as $typeValue => $typeLabel)
@@ -87,36 +88,43 @@
</div>
{{-- Fila: requerido y botón eliminar --}}
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Required') }}</div>
<div class="font-medium">Requerido</div>
<div class="flex justify-between items-center">
<input type="checkbox" wire:model="form.fields.{{ $index }}.required" class="checkbox checkbox-sm">
<button type="button" wire:click="removeField({{ $index }})" class="btn btn-xs btn-error">{{ __('Remove field') }}</button>
<button type="button" wire:click="removeField({{ $index }})" class="btn btn-xs btn-error">Eliminar campo</button>
</div>
</div>
{{-- Campos adicionales según tipo --}}
@if(in_array($field['type'], ['integer', 'decimal', 'percentage']))
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Min') }} / {{ __('Max') }} / {{ __('Step') }}</div>
<div class="font-medium">Mínimo / Máximo / Paso</div>
<div class="flex gap-2">
<input type="number" wire:model="form.fields.{{ $index }}.min" placeholder="{{ __('Min') }}" class="input input-xs w-20">
<input type="number" wire:model="form.fields.{{ $index }}.max" placeholder="{{ __('Max') }}" class="input input-xs w-20">
<input type="number" step="any" wire:model="form.fields.{{ $index }}.step" placeholder="{{ __('Step') }}" class="input input-xs w-20">
<input type="number" wire:model="form.fields.{{ $index }}.min" placeholder="Mín" class="input input-xs w-20">
<input type="number" wire:model="form.fields.{{ $index }}.max" placeholder="Máx" class="input input-xs w-20">
<input type="number" step="any" wire:model="form.fields.{{ $index }}.step" placeholder="Paso" class="input input-xs w-20">
</div>
</div>
@elseif($field['type'] === 'select')
<div class="grid grid-cols-1 md:grid-cols-2 gap-4 mb-2">
<div class="font-medium">{{ __('Options (comma separated)') }}</div>
<div class="font-medium">Opciones (separadas por coma)</div>
<div><input type="text" wire:model="form.fields.{{ $index }}.options" placeholder="ej: Bueno,Regular,Malo" class="input input-sm w-full"></div>
</div>
@endif
</div>
@endforeach
<button type="button" wire:click="addField" class="btn btn-sm btn-secondary mt-2">+ {{ __('Add field') }}</button>
<button type="button" wire:click="addField" class="btn btn-sm btn-secondary mt-2">+ Agregar campo</button>
</div>
@if($errors->any())
<div class="alert alert-error text-sm mt-3">
<ul class="list-disc pl-3 space-y-0.5">
@foreach($errors->all() as $e) <li>{{ $e }}</li> @endforeach
</ul>
</div>
@endif
<div class="flex gap-2 mt-4">
<button type="submit" class="btn btn-primary">{{ $editingTemplate ? __('Update') : __('Save template') }}</button>
<button type="submit" class="btn btn-primary">{{ __('Save template') }}</button>
<button type="button" wire:click="cancelForm" class="btn">{{ __('Cancel') }}</button>
</div>
</form>
@@ -127,11 +135,11 @@
<table class="table table-zebra">
<thead>
<tr>
<th>{{ __('Name') }}</th>
<th>{{ __('Description') }}</th>
<th>{{ __('Phase') }}</th>
<th>{{ __('Fields') }}</th>
<th>{{ __('Actions') }}</th>
<th>Nombre</th>
<th>Descripción</th>
<th>Fase</th>
<th>Campos</th>
<th>Acciones</th>
</tr>
</thead>
<tbody>
@@ -139,24 +147,22 @@
<tr>
<td>{{ $template->name }}</td>
<td>{{ $template->description ?? '-' }}</td>
<td>{{ $template->phase ? $template->phase->name : __('Global project') }}</td>
<td>{{ $template->phase ? $template->phase->name : 'Global' }}</td>
<td>{{ count($template->fields) }}</td>
<td>
<button wire:click="editTemplate({{ $template->id }})" class="btn btn-xs btn-warning">
{{ __('Edit') }}
Editar
</button>
<button wire:click="deleteTemplate({{ $template->id }})"
wire:confirm="{{ __('Delete template confirmation') }}"
class="btn btn-xs btn-error">{{ __('Delete') }}</button>
<button wire:click="deleteTemplate({{ $template->id }})" class="btn btn-xs btn-error" onclick="return confirm('¿Eliminar template?')">Eliminar</button>
</td>
</tr>
@empty
<tr>
<td colspan="5" class="text-center">{{ __('No templates yet (table)') }}</td>
<td colspan="5" class="text-center">No hay templates creados. Presiona "Nuevo template" para comenzar.</td>
</tr>
@endforelse
</tbody>
</table>
</div>
</div>
</div>
</div>