opensourcepos

mirror/opensourcepos

Fork 0

mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-05-29 10:47:53 -04:00

Commit Graph

Author	SHA1	Message	Date
Ollama	12146275f4	fix: Fix migration foreign key constraint and remove seeder - Change employee_id to INT(10) to match employees.person_id type - Remove seeder call from migration (causes issues in tests) - Add permission/module inserts directly in migration - Add proper down() method to drop FK and data - Remove seed reference from tests The foreign key was failing because: 1. employee_id was defined as unsigned INT(11) 2. employees.person_id is INT(10) NOT NULL (not unsigned) 3. Seeder call in migration caused multiple runs in tests	2026-03-06 15:05:59 +00:00
Ollama	e45af91e2e	feat: Add REST API implementation with API key authentication Implement comprehensive REST API for OSPOS with the following: Database: - Migration for ospos_api_keys table - Seeder for module permissions Models: - ApiKey model with key generation, validation, revocation - SHA-256 hashing for secure key storage - Support for key expiration Filters: - ApiAuth filter for X-API-Key header authentication - CSRF exemption for API routes Controllers: - Api/BaseController with response helpers and field transformation - Api/Customers (CRUD + batch delete, suggestions) - Api/Suppliers (CRUD + batch delete, suggestions) - Api/Items (CRUD + batch delete, quantities endpoint) - Api/Inventory (adjustments with set/adjust modes, bulk support) - ApiKeys (UI controller for key management) Routes: - /api/v1/* endpoints with apiauth filter - /office/api-keys/* endpoints for key management UI Tests: - ApiKeyTest for model functionality - ApiAuthTest for authentication filter Features: - camelCase JSON field names (API standard) - Offset/limit pagination - Soft delete support - Permission-based authorization - Key prefix for UI identification - Last used timestamp tracking Refs: #2463, #615, #3789, #3809, #1680, #876, #1959, #157	2026-03-06 14:35:27 +00:00
jekkos	19eb43270a	Fix broken object-level authorization in Employees controller (CVE-worthy) (#4391 ) - Non-admin employees can no longer view/modify admin accounts - Non-admin employees can no longer delete admin accounts - Non-admin employees can only grant permissions they themselves have - Added is_admin() and can_modify_employee() methods to Employee model - Prevents privilege escalation via permission grants Add tests for BOLA fix and permission delegation - EmployeeTest: Unit tests for is_admin() and can_modify_employee() methods - EmployeesControllerTest: Test cases for authorization checks (integration tests require DB) - ReportsControllerTest: Test validating the constructor redirect fix pattern Fix return type error in Employees controller Use $this->response->setJSON() instead of echo json_encode() + return to properly satisfy the ResponseInterface return type.	2026-03-05 19:46:39 +01:00

Author

SHA1

Message

Date

Ollama

12146275f4

fix: Fix migration foreign key constraint and remove seeder

- Change employee_id to INT(10) to match employees.person_id type
- Remove seeder call from migration (causes issues in tests)
- Add permission/module inserts directly in migration
- Add proper down() method to drop FK and data
- Remove seed reference from tests

The foreign key was failing because:
1. employee_id was defined as unsigned INT(11)
2. employees.person_id is INT(10) NOT NULL (not unsigned)
3. Seeder call in migration caused multiple runs in tests

2026-03-06 15:05:59 +00:00

Ollama

e45af91e2e

feat: Add REST API implementation with API key authentication

Implement comprehensive REST API for OSPOS with the following:

Database:
- Migration for ospos_api_keys table
- Seeder for module permissions

Models:
- ApiKey model with key generation, validation, revocation
- SHA-256 hashing for secure key storage
- Support for key expiration

Filters:
- ApiAuth filter for X-API-Key header authentication
- CSRF exemption for API routes

Controllers:
- Api/BaseController with response helpers and field transformation
- Api/Customers (CRUD + batch delete, suggestions)
- Api/Suppliers (CRUD + batch delete, suggestions)
- Api/Items (CRUD + batch delete, quantities endpoint)
- Api/Inventory (adjustments with set/adjust modes, bulk support)
- ApiKeys (UI controller for key management)

Routes:
- /api/v1/* endpoints with apiauth filter
- /office/api-keys/* endpoints for key management UI

Tests:
- ApiKeyTest for model functionality
- ApiAuthTest for authentication filter

Features:
- camelCase JSON field names (API standard)
- Offset/limit pagination
- Soft delete support
- Permission-based authorization
- Key prefix for UI identification
- Last used timestamp tracking

Refs: #2463, #615, #3789, #3809, #1680, #876, #1959, #157

2026-03-06 14:35:27 +00:00

jekkos

19eb43270a

Fix broken object-level authorization in Employees controller (CVE-worthy) (#4391 )

- Non-admin employees can no longer view/modify admin accounts
- Non-admin employees can no longer delete admin accounts
- Non-admin employees can only grant permissions they themselves have
- Added is_admin() and can_modify_employee() methods to Employee model
- Prevents privilege escalation via permission grants

Add tests for BOLA fix and permission delegation

- EmployeeTest: Unit tests for is_admin() and can_modify_employee() methods
- EmployeesControllerTest: Test cases for authorization checks (integration tests require DB)
- ReportsControllerTest: Test validating the constructor redirect fix pattern

Fix return type error in Employees controller

Use $this->response->setJSON() instead of echo json_encode() + return
to properly satisfy the ResponseInterface return type.

2026-03-05 19:46:39 +01:00

3 Commits