security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation, backup code attempt counter, rate limiting verification - Schema: unique constraints on business numbers, FK relations, unsigned/signed alignment, attendance duplicate prevention - Invoices/PDFs: DOMPurify sanitization, bounded queries in stats and alerts, VAT rounding, Puppeteer error handling - Orders/Offers: transactional parent+child creation, Zod NaN refinement, status enums, uniqueness checks - Projects/Files: path traversal protection, streamed uploads, permission guards, query param validation - Attendance/HR: duplicate checks, ownership validation, GPS restrictions, trip distance validation - Frontend: modal lock reference counting, XSS escaping in print HTML, ref mutation fixes, accessibility attributes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 00:58:35 +02:00
parent 122eee175e
commit 528e55991b
57 changed files with 2355 additions and 1010 deletions
--- a/src/admin/components/ProjectFileManager.tsx
+++ b/src/admin/components/ProjectFileManager.tsx
@@ -197,6 +197,7 @@ export default function ProjectFileManager({
 }: ProjectFileManagerProps) {
  const alert = useAlert();
  const fileInputRef = useRef<HTMLInputElement>(null);
+  const isCancelling = useRef(false);

  const [items, setItems] = useState<FileItem[]>([]);
  const [loading, setLoading] = useState(true);
@@ -768,10 +769,26 @@ export default function ProjectFileManager({
                            }}
                            autoFocus
                            onKeyDown={(e) => {
-                              if (e.key === "Enter") handleRename(item);
-                              if (e.key === "Escape") setRenamingItem(null);
+                              if (e.key === "Enter") {
+                                e.preventDefault();
+                                handleRename(item);
+                              }
+                              if (e.key === "Escape") {
+                                e.preventDefault();
+                                isCancelling.current = true;
+                                setRenamingItem(null);
+                                setRenameValue(item.name);
+                                setTimeout(() => {
+                                  isCancelling.current = false;
+                                }, 0);
+                              }
+                            }}
+                            onBlur={() => {
+                              if (isCancelling.current) {
+                                return;
+                              }
+                              handleRename(item);
                            }}
-                            onBlur={() => handleRename(item)}
                          />
                        ) : (
                          <FileNameCell