fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
import { FastifyInstance } from "fastify";
|
||||
import prisma from "../../config/database";
|
||||
import { requirePermission } from "../../middleware/auth";
|
||||
import { logAudit } from "../../services/audit";
|
||||
import { success, error, parseId } from "../../utils/response";
|
||||
import { parseBody } from "../../schemas/common";
|
||||
import {
|
||||
@@ -70,23 +71,41 @@ export default async function scopeTemplatesRoutes(
|
||||
};
|
||||
|
||||
if (body.id) {
|
||||
const itemId = Number(body.id);
|
||||
const existingItem = await prisma.item_templates.findFirst({
|
||||
where: { id: Number(body.id), is_deleted: false },
|
||||
where: { id: itemId, is_deleted: false },
|
||||
});
|
||||
if (!existingItem) return error(reply, "Šablona nenalezena", 404);
|
||||
await prisma.item_templates.updateMany({
|
||||
where: { id: Number(body.id), is_deleted: false },
|
||||
where: { id: itemId, is_deleted: false },
|
||||
data: { ...itemData, modified_at: new Date() },
|
||||
});
|
||||
return success(
|
||||
reply,
|
||||
{ id: Number(body.id) },
|
||||
200,
|
||||
"Položka byla uložena",
|
||||
);
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "update",
|
||||
entityId: itemId,
|
||||
description: `Upravena šablona položky '${itemData.name ?? itemId}'`,
|
||||
oldValues: {
|
||||
name: existingItem.name,
|
||||
description: existingItem.description,
|
||||
default_price: existingItem.default_price,
|
||||
category: existingItem.category,
|
||||
},
|
||||
newValues: itemData,
|
||||
});
|
||||
return success(reply, { id: itemId }, 200, "Položka byla uložena");
|
||||
}
|
||||
|
||||
const item = await prisma.item_templates.create({ data: itemData });
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "create",
|
||||
entityId: item.id,
|
||||
description: `Vytvořena šablona položky '${itemData.name ?? item.id}'`,
|
||||
newValues: itemData,
|
||||
});
|
||||
return success(reply, { id: item.id }, 201, "Položka byla vytvořena");
|
||||
}
|
||||
|
||||
@@ -120,6 +139,20 @@ export default async function scopeTemplatesRoutes(
|
||||
return created;
|
||||
});
|
||||
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "create",
|
||||
entityId: template.id,
|
||||
description: `Vytvořena šablona rozsahu '${template.name ?? template.id}'`,
|
||||
newValues: {
|
||||
name: template.name,
|
||||
title: template.title,
|
||||
description: template.description,
|
||||
sections: Array.isArray(body.sections) ? body.sections.length : 0,
|
||||
},
|
||||
});
|
||||
|
||||
return success(reply, { id: template.id }, 201, "Šablona byla vytvořena");
|
||||
},
|
||||
);
|
||||
@@ -133,10 +166,23 @@ export default async function scopeTemplatesRoutes(
|
||||
|
||||
if (String(query.action) === "item" && query.id) {
|
||||
const id = Number(query.id);
|
||||
if (!Number.isInteger(id) || id <= 0)
|
||||
return error(reply, "Neplatné ID", 400);
|
||||
const existingItem = await prisma.item_templates.findFirst({
|
||||
where: { id, is_deleted: false },
|
||||
});
|
||||
if (!existingItem) return error(reply, "Šablona nenalezena", 404);
|
||||
await prisma.item_templates.update({
|
||||
where: { id },
|
||||
data: { is_deleted: true, modified_at: new Date() },
|
||||
});
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "delete",
|
||||
entityId: id,
|
||||
description: `Smazána šablona položky '${existingItem.name ?? id}'`,
|
||||
});
|
||||
return success(reply, null, 200, "Šablona smazána");
|
||||
}
|
||||
|
||||
@@ -210,6 +256,27 @@ export default async function scopeTemplatesRoutes(
|
||||
});
|
||||
}
|
||||
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "update",
|
||||
entityId: id,
|
||||
description: `Upravena šablona rozsahu '${existing.name ?? id}'`,
|
||||
oldValues: {
|
||||
name: existing.name,
|
||||
title: existing.title,
|
||||
description: existing.description,
|
||||
},
|
||||
newValues: {
|
||||
name: body.name,
|
||||
title: body.title,
|
||||
description: body.description,
|
||||
sections: Array.isArray(body.sections)
|
||||
? body.sections.length
|
||||
: undefined,
|
||||
},
|
||||
});
|
||||
|
||||
return success(reply, { id }, 200, "Šablona byla uložena");
|
||||
},
|
||||
);
|
||||
@@ -220,10 +287,21 @@ export default async function scopeTemplatesRoutes(
|
||||
async (request, reply) => {
|
||||
const id = parseId(request.params.id, reply);
|
||||
if (id === null) return;
|
||||
const existing = await prisma.scope_templates.findFirst({
|
||||
where: { id, is_deleted: false },
|
||||
});
|
||||
if (!existing) return error(reply, "Šablona nenalezena", 404);
|
||||
await prisma.scope_templates.update({
|
||||
where: { id },
|
||||
data: { is_deleted: true, modified_at: new Date() },
|
||||
});
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
action: "delete",
|
||||
entityId: id,
|
||||
description: `Smazána šablona rozsahu '${existing.name ?? id}'`,
|
||||
});
|
||||
return success(reply, null, 200, "Šablona smazána");
|
||||
},
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user