javier/construprogress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8a1310c0fa16036070416dad6a8f2db5ab4b73e
construprogress/app/Livewire/ProjectCompanies.php
T
javier f8a1310c0f security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation) 
Security fixes (27 vulnerabilities across 20 files):
CRITICAL:
- MediaManager: whitelist mediable types prevents RCE via class instantiation
- MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback
- ClientProjects: verify project ownership on all mutations (IDOR)
- CompanyManagement: Admin role check on mount() and mutations (auth bypass)
- ProjectMap: scope feature/template lookups to current project (IDOR x5)
- PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR)
- ProjectEditTabs: Gate::authorize on mount() and updateProject()
- routes/web.php: reports routes moved inside can:manage all middleware (auth bypass)

MEDIUM:
- layer-manager: escapeHtml() on Leaflet popup interpolations (XSS)
- MediaManager: server-side MIME validation + 50MB limit
- ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added
- AdminUsers/ReportsDashboard/ExportController: role/permission checks added

LOW:
- config/session.php: secure cookie tied to production env
- OfflineSyncController: sanitize storage path (path traversal)

UI integration:
- project-map: Issues tab (4th) with open-count badge
- project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues)
- project-dashboard: action buttons for Map/Gantt/Report/Issues
- project-form: validation error summary + per-field @error spans
- template-manager: validation error display

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-16 18:25:36 +02:00

90 lines
2.8 KiB
PHP
Raw Blame History

<?php
namespace App\Livewire;
use Livewire\Component;
use App\Models\Project;
use App\Models\Company;
use Illuminate\Support\Facades\Auth;
class ProjectCompanies extends Component
{
public Project $project;
public $assignedCompanies = [];
public $allCompanies = [];
public $selectedCompanyId = '';
public $selectedRole = 'other';
public function mount(Project $project)
{
$user = Auth::user();
if (!$user->hasRole('Admin') && !$project->users()->where('user_id', $user->id)->exists()) {
abort(403);
}
$this->project = $project;
$this->loadCompanies();
}
public function loadCompanies()
{
$this->assignedCompanies = $this->project->companies()->withPivot('role_in_project')->get();
$assignedIds = $this->assignedCompanies->pluck('id')->toArray();
$this->allCompanies = Company::whereNotIn('id', $assignedIds)->orderBy('name')->get();
}
public function assignCompany()
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
session()->flash('error', 'No tienes permisos para asignar compañías.');
return;
}
$this->validate([
'selectedCompanyId' => 'required|exists:companies,id',
'selectedRole' => 'required|in:owner,constructor,subcontractor,consultant,supplier,other',
]);
$this->project->companies()->attach($this->selectedCompanyId, [
'role_in_project' => $this->selectedRole
]);
$this->reset(['selectedCompanyId', 'selectedRole']);
$this->loadCompanies();
$this->dispatch('notify', 'Compañía asignada al proyecto.');
}
public function removeCompany($companyId)
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
session()->flash('error', 'Sin permisos.');
return;
}
$this->project->companies()->detach($companyId);
$this->loadCompanies();
$this->dispatch('notify', 'Compañía eliminada del proyecto.');
}
public function changeRole($companyId, $role)
{
$user = Auth::user();
if (!$user->can('assign users') && !$user->hasRole('Admin')) {
session()->flash('error', 'Sin permisos.');
return;
}
if (!in_array($role, ['owner', 'constructor', 'subcontractor', 'consultant', 'supplier', 'other'])) return;
$this->project->companies()->updateExistingPivot($companyId, [
'role_in_project' => $role
]);
$this->loadCompanies();
$this->dispatch('notify', 'Rol actualizado.');
}
public function render()
{
return view('livewire.project-companies');
}
}
Reference in New Issue View Git Blame Copy Permalink