fix: oprava kritických bezpečnostních chyb a bugů z code review

- SEC-1: nahrazen exec('fsutil') za PHP-native is_link()+realpath() v NasFileManager - eliminace command injection - SEC-2: přidáno ověření aktuálního hesla při změně hesla (profile.php + DashProfile.jsx) - BUG-1: attendance punch obalen do transakce s SELECT FOR UPDATE - prevence race condition při dvojkliku - BUG-2: eliminován N+1 SQL dotaz pro VAT v invoice listu - výpočet přesunut do subquery - BUG-5/6: delete a update attendance záznamů obaleny do transakcí - prevence nekonzistentního stavu - BUG-7: opravena duplikace nabídky - přidáno chybějící pole unit v offer items ESLint: 0 errors | PHPCS: 0 errors | Build: OK Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 13:46:20 +01:00
parent 913344b8c4
commit 5550358b15
45 changed files with 373 additions and 301 deletions
--- a/dist/api/includes/AttendanceAdmin.php
+++ b/dist/api/includes/AttendanceAdmin.php
@@ -579,27 +579,34 @@ function handleUpdateAttendance(PDO $pdo, int $recordId): void

    $projectLogs = $input['project_logs'] ?? null;
    if ($projectLogs !== null) {
-        $stmt = $pdo->prepare('DELETE FROM attendance_project_logs WHERE attendance_id = ?');
-        $stmt->execute([$recordId]);
+        $pdo->beginTransaction();
+        try {
+            $stmt = $pdo->prepare('DELETE FROM attendance_project_logs WHERE attendance_id = ?');
+            $stmt->execute([$recordId]);

-        if (!empty($projectLogs) && ($input['leave_type'] ?? 'work') === 'work') {
-            $logStmt = $pdo->prepare(
-                'INSERT INTO attendance_project_logs
-                    (attendance_id, project_id, hours, minutes)
-                VALUES (?, ?, ?, ?)'
-            );
-            foreach ($projectLogs as $log) {
-                $pid = (int)($log['project_id'] ?? 0);
-                if (!$pid) {
-                    continue;
+            if (!empty($projectLogs) && ($input['leave_type'] ?? 'work') === 'work') {
+                $logStmt = $pdo->prepare(
+                    'INSERT INTO attendance_project_logs
+                        (attendance_id, project_id, hours, minutes)
+                    VALUES (?, ?, ?, ?)'
+                );
+                foreach ($projectLogs as $log) {
+                    $pid = (int)($log['project_id'] ?? 0);
+                    if (!$pid) {
+                        continue;
+                    }
+                    $h = (int)($log['hours'] ?? 0);
+                    $m = (int)($log['minutes'] ?? 0);
+                    if ($h === 0 && $m === 0) {
+                        continue;
+                    }
+                    $logStmt->execute([$recordId, $pid, $h, $m]);
                }
-                $h = (int)($log['hours'] ?? 0);
-                $m = (int)($log['minutes'] ?? 0);
-                if ($h === 0 && $m === 0) {
-                    continue;
-                }
-                $logStmt->execute([$recordId, $pid, $h, $m]);
            }
+            $pdo->commit();
+        } catch (\Throwable $e) {
+            $pdo->rollBack();
+            throw $e;
        }
    }

@@ -621,18 +628,26 @@ function handleDeleteAttendance(PDO $pdo, int $recordId): void
        errorResponse('Záznam nebyl nalezen', 404);
    }

-    $leaveType = $record['leave_type'] ?? 'work';
-    $leaveHours = $record['leave_hours'] ?? 0;
-    if ($leaveType !== 'work' && $leaveHours > 0) {
-        updateLeaveBalance($pdo, (int)$record['user_id'], $record['shift_date'], $leaveType, -(float)$leaveHours);
+    $pdo->beginTransaction();
+    try {
+        $leaveType = $record['leave_type'] ?? 'work';
+        $leaveHours = $record['leave_hours'] ?? 0;
+        if ($leaveType !== 'work' && $leaveHours > 0) {
+            updateLeaveBalance($pdo, (int)$record['user_id'], $record['shift_date'], $leaveType, -(float)$leaveHours);
+        }
+
+        $stmt = $pdo->prepare('DELETE FROM attendance_project_logs WHERE attendance_id = ?');
+        $stmt->execute([$recordId]);
+
+        $stmt = $pdo->prepare('DELETE FROM attendance WHERE id = ?');
+        $stmt->execute([$recordId]);
+
+        $pdo->commit();
+    } catch (\Throwable $e) {
+        $pdo->rollBack();
+        throw $e;
    }

-    $stmt = $pdo->prepare('DELETE FROM attendance_project_logs WHERE attendance_id = ?');
-    $stmt->execute([$recordId]);
-
-    $stmt = $pdo->prepare('DELETE FROM attendance WHERE id = ?');
-    $stmt->execute([$recordId]);
-
    AuditLog::logDelete('attendance', $recordId, $record, 'Admin smazal záznam docházky');

    successResponse(null, 'Záznam byl smazán');