javier
f8a1310c0f
Security fixes (27 vulnerabilities across 20 files): CRITICAL: - MediaManager: whitelist mediable types prevents RCE via class instantiation - MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback - ClientProjects: verify project ownership on all mutations (IDOR) - CompanyManagement: Admin role check on mount() and mutations (auth bypass) - ProjectMap: scope feature/template lookups to current project (IDOR x5) - PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR) - ProjectEditTabs: Gate::authorize on mount() and updateProject() - routes/web.php: reports routes moved inside can:manage all middleware (auth bypass) MEDIUM: - layer-manager: escapeHtml() on Leaflet popup interpolations (XSS) - MediaManager: server-side MIME validation + 50MB limit - ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added - AdminUsers/ReportsDashboard/ExportController: role/permission checks added LOW: - config/session.php: secure cookie tied to production env - OfflineSyncController: sanitize storage path (path traversal) UI integration: - project-map: Issues tab (4th) with open-count badge - project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues) - project-dashboard: action buttons for Map/Gantt/Report/Issues - project-form: validation error summary + per-field @error spans - template-manager: validation error display Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
50 lines
1.4 KiB
PHP
50 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace App\Livewire;
|
|
|
|
use Livewire\Component;
|
|
use App\Models\Phase;
|
|
use Illuminate\Support\Facades\Auth;
|
|
|
|
class PhaseProgress extends Component
|
|
{
|
|
public Phase $phase;
|
|
public $progress;
|
|
public $comment = '';
|
|
|
|
public function mount(Phase $phase)
|
|
{
|
|
$user = Auth::user();
|
|
if (!$user->hasRole('Admin') && !$phase->project->users()->where('user_id', $user->id)->exists()) {
|
|
abort(403);
|
|
}
|
|
$this->phase = $phase->load('progressUpdates');
|
|
$this->progress = $phase->progress_percent;
|
|
}
|
|
|
|
public function updateProgressManual()
|
|
{
|
|
$user = Auth::user();
|
|
if (!$user->can('update progress') && !$user->hasRole('Admin')) {
|
|
session()->flash('error', 'Sin permisos para actualizar el progreso.');
|
|
return;
|
|
}
|
|
$this->validate(['progress' => 'required|integer|min:0|max:100']);
|
|
$this->phase->progress_percent = $this->progress;
|
|
$this->phase->save();
|
|
|
|
$this->phase->progressUpdates()->create([
|
|
'user_id' => auth()->id(),
|
|
'progress_percent' => $this->progress,
|
|
'comment' => $this->comment,
|
|
]);
|
|
|
|
$this->dispatch('progressUpdated', $this->phase->id, $this->progress);
|
|
session()->flash('message', 'Progreso actualizado');
|
|
}
|
|
|
|
public function render()
|
|
{
|
|
return view('livewire.phase-progress');
|
|
}
|
|
} |