fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -70,15 +70,8 @@ export default function WarehouseIssueDetail() {
|
||||
error,
|
||||
} = useQuery(warehouseIssueDetailOptions(id));
|
||||
|
||||
if (!hasPermission("warehouse.view")) return <Forbidden />;
|
||||
|
||||
const canOperate = hasPermission("warehouse.operate");
|
||||
|
||||
const confirmMutation = useApiMutation<void, void>({
|
||||
url: () =>
|
||||
issue
|
||||
? `/api/admin/warehouse/issues/${issue.id}/confirm`
|
||||
: "/api/admin/warehouse/issues/0/confirm",
|
||||
const confirmMutation = useApiMutation<number, void>({
|
||||
url: (issueId) => `/api/admin/warehouse/issues/${issueId}/confirm`,
|
||||
method: () => "POST",
|
||||
invalidate: ["warehouse"],
|
||||
onSuccess: () => {
|
||||
@@ -86,11 +79,8 @@ export default function WarehouseIssueDetail() {
|
||||
},
|
||||
});
|
||||
|
||||
const cancelMutation = useApiMutation<void, void>({
|
||||
url: () =>
|
||||
issue
|
||||
? `/api/admin/warehouse/issues/${issue.id}/cancel`
|
||||
: "/api/admin/warehouse/issues/0/cancel",
|
||||
const cancelMutation = useApiMutation<number, void>({
|
||||
url: (issueId) => `/api/admin/warehouse/issues/${issueId}/cancel`,
|
||||
method: () => "POST",
|
||||
invalidate: ["warehouse"],
|
||||
onSuccess: () => {
|
||||
@@ -99,10 +89,15 @@ export default function WarehouseIssueDetail() {
|
||||
},
|
||||
});
|
||||
|
||||
// All hooks above this line — permission gate is the last thing before render.
|
||||
if (!hasPermission("warehouse.view")) return <Forbidden />;
|
||||
|
||||
const canOperate = hasPermission("warehouse.operate");
|
||||
|
||||
const handleConfirm = async () => {
|
||||
if (!issue) return;
|
||||
try {
|
||||
await confirmMutation.mutateAsync(undefined);
|
||||
await confirmMutation.mutateAsync(issue.id);
|
||||
} catch (e) {
|
||||
alert.error(e instanceof Error ? e.message : "Chyba připojení");
|
||||
}
|
||||
@@ -111,7 +106,7 @@ export default function WarehouseIssueDetail() {
|
||||
const handleCancel = async () => {
|
||||
if (!issue) return;
|
||||
try {
|
||||
await cancelMutation.mutateAsync(undefined);
|
||||
await cancelMutation.mutateAsync(issue.id);
|
||||
} catch (e) {
|
||||
alert.error(e instanceof Error ? e.message : "Chyba připojení");
|
||||
}
|
||||
@@ -315,8 +310,8 @@ export default function WarehouseIssueDetail() {
|
||||
{iss.project ? (
|
||||
<Typography
|
||||
variant="body2"
|
||||
component="a"
|
||||
href={`/projects/${iss.project.id}`}
|
||||
component={RouterLink}
|
||||
to={`/projects/${iss.project.id}`}
|
||||
sx={{
|
||||
fontFamily: "'DM Mono', Menlo, monospace",
|
||||
fontWeight: 500,
|
||||
|
||||
Reference in New Issue
Block a user