T

javier f8a1310c0f security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

Security fixes (27 vulnerabilities across 20 files):
CRITICAL:
- MediaManager: whitelist mediable types prevents RCE via class instantiation
- MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback
- ClientProjects: verify project ownership on all mutations (IDOR)
- CompanyManagement: Admin role check on mount() and mutations (auth bypass)
- ProjectMap: scope feature/template lookups to current project (IDOR x5)
- PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR)
- ProjectEditTabs: Gate::authorize on mount() and updateProject()
- routes/web.php: reports routes moved inside can:manage all middleware (auth bypass)

MEDIUM:
- layer-manager: escapeHtml() on Leaflet popup interpolations (XSS)
- MediaManager: server-side MIME validation + 50MB limit
- ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added
- AdminUsers/ReportsDashboard/ExportController: role/permission checks added

LOW:
- config/session.php: secure cookie tied to production env
- OfflineSyncController: sanitize storage path (path traversal)

UI integration:
- project-map: Issues tab (4th) with open-count badge
- project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues)
- project-dashboard: action buttons for Map/Gantt/Report/Issues
- project-form: validation error summary + per-field @error spans
- template-manager: validation error display

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-16 18:25:36 +02:00

app

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

2026-06-16 18:25:36 +02:00

bootstrap

Sistema multilingüe EN/ES: middleware SetLocale, LanguageSwitcher, campo locale en users, traducciones en dashboard/mapa/proyectos/gestores

2026-05-09 23:14:48 +02:00

config

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

2026-06-16 18:25:36 +02:00

database

feat: i18n, language switcher fix, DataTable improvements, blade translations

2026-06-16 18:05:53 +02:00

lang

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

2026-06-16 18:25:36 +02:00

public

feat: Enhance PWA with advanced service worker (network-first strategy), background sync, and push notifications

2026-05-25 16:35:55 +02:00

resources

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

2026-06-16 18:25:36 +02:00

routes

security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

2026-06-16 18:25:36 +02:00

storage

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

tests

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

.editorconfig

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

.env.example

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

.gitattributes

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

.gitignore

feat: i18n, language switcher fix, DataTable improvements, blade translations

2026-06-16 18:05:53 +02:00

artisan

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

composer.json

feat: Add Excel export functionality for reports (projects, phases, inspections) using maatwebsite/excel

2026-05-25 17:21:25 +02:00

composer.lock

feat: Add Excel export functionality for reports (projects, phases, inspections) using maatwebsite/excel

2026-05-25 17:21:25 +02:00

package-lock.json

Fix: Capas desaparecen al deseleccionar en mapa principal - corregir manejo de parámetros Livewire en event listener layersUpdated; actualizar configuración Tailwind para DaisyUI

2026-05-11 11:54:19 +02:00

package.json

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

phpunit.xml

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

postcss.config.js

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

README.md

feat: Add reports dashboard with Chart.js analytics and PWA improvements (Avante)

2026-05-25 14:38:49 +02:00

tailwind.config.js

Fix: Capas desaparecen al deseleccionar en mapa principal - corregir manejo de parámetros Livewire en event listener layersUpdated; actualizar configuración Tailwind para DaisyUI

2026-05-11 11:54:19 +02:00

vite.config.js

Initial commit - construprogress app

2026-05-07 23:31:33 +02:00

README.md

Avante

Sistema de gestión de proyectos de construcción con mapas interactivos, control de progreso, inspecciones y soporte offline.

Características

Mapas interactivos — Visualización de proyectos sobre mapa con capas (GeoJSON/KML) y elementos editables
Gestión de fases — Proyectos organizados en fases con progreso porcentual y seguimiento histórico
Capas y elementos — Subida de archivos GeoJSON/KML, capas vacías editables con color personalizado
Inspecciones — Plantillas de inspección por proyecto, asignables a elementos del mapa
Progreso — Seguimiento visual del progreso por fase y global del proyecto
Sincronización offline — Endpoints para trabajadores en campo, sincronización diferida
Permisos — Roles y permisos granulares (Spatie Permission)
Dashboard — Estadísticas globales, proyectos recientes, inspecciones

Requisitos

PHP 8.2+
MySQL/MariaDB
Composer
Node.js + NPM

Instalación

git clone <repo-url> construprogress
cd construprogress
composer install
npm install && npm run build
cp .env.example .env
# Editar .env con credenciales de base de datos
php artisan key:generate
php artisan migrate
php artisan db:seed --class=RolePermissionSeeder  # si existe
php artisan serve

Stack técnico

Framework: Laravel 11
Frontend: Tailwind CSS + DaisyUI + Leaflet.js
Mapas: Leaflet + Leaflet Draw (editor gráfico)
Componentes: Livewire 3
Base de datos: MySQL/MariaDB
Autenticación: Laravel Breeze