boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

security: fix all Critical and High findings from FLAWS_REPORT audit

Browse Source 
- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-04-24 00:58:35 +02:00
parent 122eee175e
commit 528e55991b
57 changed files with 2355 additions and 1010 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
src/services/projects.service.ts
View File

@@ -56,13 +56,13 @@ export async function listProjects(params: ListProjectsParams) {
prisma.projects.count({ where }),
]);
const enriched = projects.map((p) => ({
const enriched = projects.map(({ customers, users, orders, ...p }) => ({
...p,
customer_name: p.customers?.name || null,
responsible_user_name: p.users
? `${p.users.first_name} ${p.users.last_name}`.trim()
customer_name: customers?.name || null,
responsible_user_name: users
? `${users.first_name} ${users.last_name}`.trim()
: null,
order_number: p.orders?.order_number || null,
order_number: orders?.order_number || null,
}));
return { data: enriched, total, page, limit };
@@ -72,10 +72,10 @@ export async function getProject(id: number) {
const project = await prisma.projects.findUnique({
where: { id },
include: {
customers: true,
users: true,
quotations: true,
orders: true,
customers: { select: { id: true, name: true } },
users: { select: { id: true, first_name: true, last_name: true } },
quotations: { select: { id: true, quotation_number: true } },
orders: { select: { id: true, order_number: true, status: true } },
project_notes: { orderBy: { created_at: "desc" } },
},
});
@@ -96,22 +96,33 @@ export async function getProject(id: number) {
};
}
import { isSharedNumberTaken } from "./numbering.service";
export async function createProject(body: Record<string, any>) {
const projectNumber =
body.project_number !== undefined && body.project_number !== null
? String(body.project_number)
: await generateSharedNumber();
if (body.project_number !== undefined && body.project_number !== null) {
const taken = await isSharedNumberTaken(String(body.project_number));
if (taken) {
return { error: "Číslo projektu je již použito", status: 400 };
}
}
const project = await prisma.projects.create({
data: {
project_number: projectNumber,
name: body.name ? String(body.name) : null,
customer_id: body.customer_id ? Number(body.customer_id) : null,
responsible_user_id: body.responsible_user_id
? Number(body.responsible_user_id)
: null,
quotation_id: body.quotation_id ? Number(body.quotation_id) : null,
order_id: body.order_id ? Number(body.order_id) : null,
customer_id: body.customer_id != null ? Number(body.customer_id) : null,
responsible_user_id:
body.responsible_user_id != null
? Number(body.responsible_user_id)
: null,
quotation_id:
body.quotation_id != null ? Number(body.quotation_id) : null,
order_id: body.order_id != null ? Number(body.order_id) : null,
status: body.status ? String(body.status) : "aktivni",
start_date: body.start_date ? new Date(String(body.start_date)) : null,
end_date: body.end_date ? new Date(String(body.end_date)) : null,
@@ -145,15 +156,18 @@ export async function updateProject(id: number, body: Record<string, any>) {
for (const f of strFields)
if (body[f] !== undefined) data[f] = body[f] ? String(body[f]) : null;
if (body.customer_id !== undefined)
data.customer_id = body.customer_id ? Number(body.customer_id) : null;
data.customer_id =
body.customer_id != null ? Number(body.customer_id) : null;
if (body.responsible_user_id !== undefined)
data.responsible_user_id = body.responsible_user_id
? Number(body.responsible_user_id)
: null;
data.responsible_user_id =
body.responsible_user_id != null
? Number(body.responsible_user_id)
: null;
if (body.quotation_id !== undefined)
data.quotation_id = body.quotation_id ? Number(body.quotation_id) : null;
data.quotation_id =
body.quotation_id != null ? Number(body.quotation_id) : null;
if (body.order_id !== undefined)
data.order_id = body.order_id ? Number(body.order_id) : null;
data.order_id = body.order_id != null ? Number(body.order_id) : null;
if (body.start_date !== undefined)
data.start_date = body.start_date
? new Date(String(body.start_date))
@@ -161,7 +175,7 @@ export async function updateProject(id: number, body: Record<string, any>) {
if (body.end_date !== undefined)
data.end_date = body.end_date ? new Date(String(body.end_date)) : null;
await prisma.projects.update({ where: { id }, data });
const updated = await prisma.projects.update({ where: { id }, data });
if (
body.name !== undefined &&
@@ -175,7 +189,7 @@ export async function updateProject(id: number, body: Record<string, any>) {
);
}
return existing;
return updated;
}
export async function deleteProject(id: number, deleteFiles: boolean = false) {