fix: oprava kritických bezpečnostních chyb a bugů z code review
- SEC-1: nahrazen exec('fsutil') za PHP-native is_link()+realpath() v NasFileManager - eliminace command injection
- SEC-2: přidáno ověření aktuálního hesla při změně hesla (profile.php + DashProfile.jsx)
- BUG-1: attendance punch obalen do transakce s SELECT FOR UPDATE - prevence race condition při dvojkliku
- BUG-2: eliminován N+1 SQL dotaz pro VAT v invoice listu - výpočet přesunut do subquery
- BUG-5/6: delete a update attendance záznamů obaleny do transakcí - prevence nekonzistentního stavu
- BUG-7: opravena duplikace nabídky - přidáno chybějící pole unit v offer items
ESLint: 0 errors | PHPCS: 0 errors | Build: OK
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
189
dist/api/admin/handlers/attendance-handlers.php
vendored
189
dist/api/admin/handlers/attendance-handlers.php
vendored
@@ -261,106 +261,121 @@ function handlePunch(PDO $pdo, int $userId): void
|
||||
$lat = isset($input['latitude']) && $input['latitude'] !== '' ? (float)$input['latitude'] : null;
|
||||
$lng = isset($input['longitude']) && $input['longitude'] !== '' ? (float)$input['longitude'] : null;
|
||||
$accuracy = isset($input['accuracy']) && $input['accuracy'] !== '' ? (float)$input['accuracy'] : null;
|
||||
$address = !empty($input['address']) ? $input['address'] : null;
|
||||
$address = !empty($input['address']) ? mb_substr($input['address'], 0, 500) : null;
|
||||
|
||||
$stmt = $pdo->prepare("
|
||||
SELECT id, user_id, shift_date, arrival_time, break_start, break_end,
|
||||
departure_time, notes, project_id, leave_type, created_at
|
||||
FROM attendance
|
||||
WHERE user_id = ? AND departure_time IS NULL AND (leave_type IS NULL OR leave_type = 'work')
|
||||
ORDER BY created_at DESC LIMIT 1
|
||||
");
|
||||
$stmt->execute([$userId]);
|
||||
$ongoingShift = $stmt->fetch();
|
||||
$pdo->beginTransaction();
|
||||
try {
|
||||
$stmt = $pdo->prepare("
|
||||
SELECT id, user_id, shift_date, arrival_time, break_start, break_end,
|
||||
departure_time, notes, project_id, leave_type, created_at
|
||||
FROM attendance
|
||||
WHERE user_id = ? AND departure_time IS NULL AND (leave_type IS NULL OR leave_type = 'work')
|
||||
ORDER BY created_at DESC LIMIT 1
|
||||
FOR UPDATE
|
||||
");
|
||||
$stmt->execute([$userId]);
|
||||
$ongoingShift = $stmt->fetch();
|
||||
|
||||
if ($action === 'arrival' && !$ongoingShift) {
|
||||
$now = roundUpTo15Minutes($rawNow);
|
||||
$stmt = $pdo->prepare('
|
||||
INSERT INTO attendance
|
||||
(user_id, shift_date, arrival_time, arrival_lat, arrival_lng, arrival_accuracy, arrival_address)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?)
|
||||
');
|
||||
$stmt->execute([$userId, $today, $now, $lat, $lng, $accuracy, $address]);
|
||||
if ($action === 'arrival' && !$ongoingShift) {
|
||||
$now = roundUpTo15Minutes($rawNow);
|
||||
$stmt = $pdo->prepare('
|
||||
INSERT INTO attendance
|
||||
(user_id, shift_date, arrival_time, arrival_lat, arrival_lng, arrival_accuracy, arrival_address)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?)
|
||||
');
|
||||
$stmt->execute([$userId, $today, $now, $lat, $lng, $accuracy, $address]);
|
||||
|
||||
AuditLog::logCreate('attendance', (int)$pdo->lastInsertId(), [
|
||||
'arrival_time' => $now,
|
||||
'location' => $address,
|
||||
], 'Příchod zaznamenán');
|
||||
AuditLog::logCreate('attendance', (int)$pdo->lastInsertId(), [
|
||||
'arrival_time' => $now,
|
||||
'location' => $address,
|
||||
], 'Příchod zaznamenán');
|
||||
|
||||
successResponse(null, 'Příchod zaznamenán');
|
||||
} elseif ($ongoingShift) {
|
||||
switch ($action) {
|
||||
case 'break_start':
|
||||
if ($ongoingShift['arrival_time'] && !$ongoingShift['break_start']) {
|
||||
$breakStart = roundToNearest10Minutes($rawNow);
|
||||
$breakEnd = date('Y-m-d H:i:s', strtotime($breakStart) + (30 * 60));
|
||||
$pdo->commit();
|
||||
successResponse(null, 'Příchod zaznamenán');
|
||||
} elseif ($ongoingShift) {
|
||||
switch ($action) {
|
||||
case 'break_start':
|
||||
if ($ongoingShift['arrival_time'] && !$ongoingShift['break_start']) {
|
||||
$breakStart = roundToNearest10Minutes($rawNow);
|
||||
$breakEnd = date('Y-m-d H:i:s', strtotime($breakStart) + (30 * 60));
|
||||
|
||||
$stmt = $pdo->prepare('UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?');
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
$stmt = $pdo->prepare('UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?');
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
|
||||
successResponse(null, 'Pauza zaznamenána');
|
||||
} else {
|
||||
errorResponse('Nelze zadat pauzu');
|
||||
}
|
||||
break;
|
||||
|
||||
case 'departure':
|
||||
if ($ongoingShift['arrival_time'] && !$ongoingShift['departure_time']) {
|
||||
$now = roundDownTo15Minutes($rawNow);
|
||||
|
||||
// Auto-add break if shift is longer than 6h and no break
|
||||
if (!$ongoingShift['break_start'] && !$ongoingShift['break_end']) {
|
||||
$arrivalTime = strtotime($ongoingShift['arrival_time']);
|
||||
$departureTime = strtotime($now);
|
||||
$hoursWorked = ($departureTime - $arrivalTime) / 3600;
|
||||
|
||||
if ($hoursWorked > 12) {
|
||||
$midPoint = $arrivalTime + (($departureTime - $arrivalTime) / 2);
|
||||
$breakStart = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint - (30 * 60)));
|
||||
$breakEnd = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint + (30 * 60)));
|
||||
|
||||
$stmt = $pdo->prepare('UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?');
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
} elseif ($hoursWorked > 6) {
|
||||
$midPoint = $arrivalTime + (($departureTime - $arrivalTime) / 2);
|
||||
$breakStart = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint - (15 * 60)));
|
||||
$breakEnd = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint + (15 * 60)));
|
||||
|
||||
$stmt = $pdo->prepare('UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?');
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
}
|
||||
$pdo->commit();
|
||||
successResponse(null, 'Pauza zaznamenána');
|
||||
} else {
|
||||
$pdo->rollBack();
|
||||
errorResponse('Nelze zadat pauzu');
|
||||
}
|
||||
break;
|
||||
|
||||
$stmt = $pdo->prepare('
|
||||
UPDATE attendance
|
||||
SET departure_time = ?, departure_lat = ?, departure_lng = ?,
|
||||
departure_accuracy = ?, departure_address = ?
|
||||
WHERE id = ?
|
||||
');
|
||||
$stmt->execute([$now, $lat, $lng, $accuracy, $address, $ongoingShift['id']]);
|
||||
case 'departure':
|
||||
if ($ongoingShift['arrival_time'] && !$ongoingShift['departure_time']) {
|
||||
$now = roundDownTo15Minutes($rawNow);
|
||||
|
||||
// Close any open project log
|
||||
$stmt = $pdo->prepare('
|
||||
UPDATE attendance_project_logs SET ended_at = ? WHERE attendance_id = ? AND ended_at IS NULL
|
||||
');
|
||||
$stmt->execute([$now, $ongoingShift['id']]);
|
||||
// Auto-add break if shift is longer than 6h and no break
|
||||
if (!$ongoingShift['break_start'] && !$ongoingShift['break_end']) {
|
||||
$arrivalTime = strtotime($ongoingShift['arrival_time']);
|
||||
$departureTime = strtotime($now);
|
||||
$hoursWorked = ($departureTime - $arrivalTime) / 3600;
|
||||
|
||||
AuditLog::logUpdate('attendance', $ongoingShift['id'], [], [
|
||||
'departure_time' => $now,
|
||||
'location' => $address,
|
||||
], 'Odchod zaznamenán');
|
||||
if ($hoursWorked > 12) {
|
||||
$midPoint = $arrivalTime + (($departureTime - $arrivalTime) / 2);
|
||||
$breakStart = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint - (30 * 60)));
|
||||
$breakEnd = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint + (30 * 60)));
|
||||
|
||||
successResponse(null, 'Odchod zaznamenán');
|
||||
} else {
|
||||
errorResponse('Nelze zadat odchod');
|
||||
}
|
||||
break;
|
||||
$stmt = $pdo->prepare('UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?');
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
} elseif ($hoursWorked > 6) {
|
||||
$midPoint = $arrivalTime + (($departureTime - $arrivalTime) / 2);
|
||||
$breakStart = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint - (15 * 60)));
|
||||
$breakEnd = roundToNearest10Minutes(date('Y-m-d H:i:s', $midPoint + (15 * 60)));
|
||||
|
||||
default:
|
||||
errorResponse('Neplatná akce');
|
||||
$sql = 'UPDATE attendance SET break_start = ?, break_end = ? WHERE id = ?';
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->execute([$breakStart, $breakEnd, $ongoingShift['id']]);
|
||||
}
|
||||
}
|
||||
|
||||
$stmt = $pdo->prepare('
|
||||
UPDATE attendance
|
||||
SET departure_time = ?, departure_lat = ?, departure_lng = ?,
|
||||
departure_accuracy = ?, departure_address = ?
|
||||
WHERE id = ?
|
||||
');
|
||||
$stmt->execute([$now, $lat, $lng, $accuracy, $address, $ongoingShift['id']]);
|
||||
|
||||
// Close any open project log
|
||||
$stmt = $pdo->prepare('
|
||||
UPDATE attendance_project_logs SET ended_at = ? WHERE attendance_id = ? AND ended_at IS NULL
|
||||
');
|
||||
$stmt->execute([$now, $ongoingShift['id']]);
|
||||
|
||||
AuditLog::logUpdate('attendance', $ongoingShift['id'], [], [
|
||||
'departure_time' => $now,
|
||||
'location' => $address,
|
||||
], 'Odchod zaznamenán');
|
||||
|
||||
$pdo->commit();
|
||||
successResponse(null, 'Odchod zaznamenán');
|
||||
} else {
|
||||
$pdo->rollBack();
|
||||
errorResponse('Nelze zadat odchod');
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
$pdo->rollBack();
|
||||
errorResponse('Neplatná akce');
|
||||
}
|
||||
} else {
|
||||
$pdo->rollBack();
|
||||
errorResponse('Neplatná akce - nemáte aktivní směnu');
|
||||
}
|
||||
} else {
|
||||
errorResponse('Neplatná akce - nemáte aktivní směnu');
|
||||
} catch (\Throwable $e) {
|
||||
$pdo->rollBack();
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user