mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-07 16:47:03 -05:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
282 lines
13 KiB
PHP
282 lines
13 KiB
PHP
<?php
|
|
|
|
namespace App\Controllers;
|
|
|
|
use App\Models\Cashup;
|
|
use App\Models\Expense;
|
|
use App\Models\Reports\Summary_payments;
|
|
use CodeIgniter\HTTP\ResponseInterface;
|
|
use Config\OSPOS;
|
|
use Config\Services;
|
|
|
|
class Cashups extends Secure_Controller
|
|
{
|
|
private Cashup $cashup;
|
|
private Expense $expense;
|
|
private Summary_payments $summary_payments;
|
|
private array $config;
|
|
|
|
public function __construct()
|
|
{
|
|
parent::__construct('cashups');
|
|
|
|
$this->cashup = model(Cashup::class);
|
|
$this->expense = model(Expense::class);
|
|
$this->summary_payments = model(Summary_payments::class);
|
|
$this->config = config(OSPOS::class)->settings;
|
|
}
|
|
|
|
/**
|
|
* @return string
|
|
*/
|
|
public function getIndex(): string
|
|
{
|
|
$data['table_headers'] = get_cashups_manage_table_headers();
|
|
|
|
// filters that will be loaded in the multiselect dropdown
|
|
$data['filters'] = ['is_deleted' => lang('Cashups.is_deleted')];
|
|
|
|
return view('cashups/manage', $data);
|
|
}
|
|
|
|
/**
|
|
* @return void
|
|
*/
|
|
public function getSearch(): ResponseInterface
|
|
{
|
|
$search = $this->request->getGet('search');
|
|
$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
|
|
$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
|
|
$sort = $this->sanitizeSortColumn(cashup_headers(), $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS), 'cashup_id');
|
|
$order = $this->request->getGet('order', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
|
$filters = [
|
|
'start_date' => $this->request->getGet('start_date', FILTER_SANITIZE_FULL_SPECIAL_CHARS), // TODO: Is this the best way to filter dates
|
|
'end_date' => $this->request->getGet('end_date', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'is_deleted' => false
|
|
];
|
|
|
|
// Check if any filter is set in the multiselect dropdown
|
|
$request_filters = array_fill_keys($this->request->getGet('filters', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?? [], true);
|
|
$filters = array_merge($filters, $request_filters);
|
|
$cash_ups = $this->cashup->search($search, $filters, $limit, $offset, $sort, $order);
|
|
$total_rows = $this->cashup->get_found_rows($search, $filters);
|
|
$data_rows = [];
|
|
foreach ($cash_ups->getResult() as $cash_up) {
|
|
$data_rows[] = get_cash_up_data_row($cash_up);
|
|
}
|
|
|
|
return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
|
|
}
|
|
|
|
/**
|
|
* @param int $cashup_id
|
|
* @return string
|
|
*/
|
|
public function getView(int $cashup_id = NEW_ENTRY): string
|
|
{
|
|
$data = [];
|
|
|
|
$data['employees'] = [];
|
|
foreach ($this->employee->get_all()->getResult() as $employee) {
|
|
foreach (get_object_vars($employee) as $property => $value) {
|
|
$employee->$property = $value;
|
|
}
|
|
|
|
$data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
|
|
}
|
|
|
|
$cash_ups_info = $this->cashup->get_info($cashup_id);
|
|
|
|
foreach (get_object_vars($cash_ups_info) as $property => $value) {
|
|
$cash_ups_info->$property = $value;
|
|
}
|
|
|
|
// Open cashup
|
|
if ($cash_ups_info->cashup_id == NEW_ENTRY) {
|
|
$cash_ups_info->open_date = date('Y-m-d H:i:s');
|
|
$cash_ups_info->close_date = $cash_ups_info->open_date;
|
|
$cash_ups_info->open_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
|
|
$cash_ups_info->close_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
|
|
}
|
|
// If all the amounts are null or 0 that means it's a close cashup
|
|
elseif (
|
|
floatval($cash_ups_info->closed_amount_cash) == 0
|
|
&& floatval($cash_ups_info->closed_amount_due) == 0
|
|
&& floatval($cash_ups_info->closed_amount_card) == 0
|
|
&& floatval($cash_ups_info->closed_amount_check) == 0
|
|
) {
|
|
// Set the close date and time to the actual as this is a close session
|
|
$cash_ups_info->close_date = date('Y-m-d H:i:s');
|
|
|
|
// The closed amount starts with the open amount -/+ any trasferred amount
|
|
$cash_ups_info->closed_amount_cash = $cash_ups_info->open_amount_cash + $cash_ups_info->transfer_amount_cash;
|
|
|
|
// If it's date mode only and not date & time truncate the open and end date to date only
|
|
if (empty($this->config['date_or_time_format'])) {
|
|
if ($cash_ups_info->open_date != null) {
|
|
$start_date = substr($cash_ups_info->open_date, 0, 10);
|
|
} else {
|
|
$start_date = null;
|
|
}
|
|
if ($cash_ups_info->close_date != null) {
|
|
$end_date = substr($cash_ups_info->close_date, 0, 10);
|
|
} else {
|
|
$end_date = null;
|
|
}
|
|
// Search for all the payments given the time range
|
|
$inputs = [
|
|
'start_date' => $start_date,
|
|
'end_date' => $end_date,
|
|
'sale_type' => 'complete',
|
|
'location_id' => 'all'
|
|
];
|
|
} else {
|
|
// Search for all the payments given the time range
|
|
$inputs = [
|
|
'start_date' => $cash_ups_info->open_date,
|
|
'end_date' => $cash_ups_info->close_date,
|
|
'sale_type' => 'complete',
|
|
'location_id' => 'all'
|
|
];
|
|
}
|
|
|
|
// Get all the transactions payment summaries
|
|
$reports_data = $this->summary_payments->getData($inputs);
|
|
|
|
foreach ($reports_data as $row) {
|
|
if ($row['trans_group'] == lang('Reports.trans_payments')) {
|
|
if ($row['trans_type'] == lang('Sales.cash')) {
|
|
$cash_ups_info->closed_amount_cash += $row['trans_amount'];
|
|
} elseif ($row['trans_type'] == lang('Sales.due')) {
|
|
$cash_ups_info->closed_amount_due += $row['trans_amount'];
|
|
} elseif (
|
|
$row['trans_type'] == lang('Sales.debit') ||
|
|
$row['trans_type'] == lang('Sales.credit')
|
|
) {
|
|
$cash_ups_info->closed_amount_card += $row['trans_amount'];
|
|
} elseif ($row['trans_type'] == lang('Sales.check')) {
|
|
$cash_ups_info->closed_amount_check += $row['trans_amount'];
|
|
}
|
|
}
|
|
}
|
|
|
|
// Lookup expenses paid in cash
|
|
$filters = [
|
|
'only_cash' => true,
|
|
'only_due' => false,
|
|
'only_check' => false,
|
|
'only_credit' => false,
|
|
'only_debit' => false,
|
|
'is_deleted' => false
|
|
];
|
|
|
|
$payments = $this->expense->get_payments_summary('', array_merge($inputs, $filters));
|
|
|
|
foreach ($payments as $row) {
|
|
$cash_ups_info->closed_amount_cash -= $row['amount'];
|
|
}
|
|
|
|
$cash_ups_info->closed_amount_total = $this->_calculate_total($cash_ups_info->open_amount_cash, $cash_ups_info->transfer_amount_cash, $cash_ups_info->closed_amount_cash, $cash_ups_info->closed_amount_due, $cash_ups_info->closed_amount_card, $cash_ups_info->closed_amount_check);
|
|
}
|
|
|
|
$data['cash_ups_info'] = $cash_ups_info;
|
|
|
|
return view("cashups/form", $data);
|
|
}
|
|
|
|
/**
|
|
* @param int $row_id
|
|
* @return ResponseInterface
|
|
*/
|
|
public function getRow(int $row_id): ResponseInterface
|
|
{
|
|
$cash_ups_info = $this->cashup->get_info($row_id);
|
|
$data_row = get_cash_up_data_row($cash_ups_info);
|
|
|
|
return $this->response->setJSON($data_row);
|
|
}
|
|
|
|
/**
|
|
* @param int $cashup_id
|
|
* @return ResponseInterface
|
|
*/
|
|
public function postSave(int $cashup_id = NEW_ENTRY): ResponseInterface
|
|
{
|
|
$open_date = $this->request->getPost('open_date');
|
|
$open_date_formatter = date_create_from_format($this->config['dateformat'] . ' ' . $this->config['timeformat'], $open_date);
|
|
|
|
$close_date = $this->request->getPost('close_date');
|
|
$close_date_formatter = date_create_from_format($this->config['dateformat'] . ' ' . $this->config['timeformat'], $close_date);
|
|
|
|
$cash_up_data = [
|
|
'open_date' => $open_date_formatter->format('Y-m-d H:i:s'),
|
|
'close_date' => $close_date_formatter->format('Y-m-d H:i:s'),
|
|
'open_amount_cash' => parse_decimals($this->request->getPost('open_amount_cash')),
|
|
'transfer_amount_cash' => parse_decimals($this->request->getPost('transfer_amount_cash')),
|
|
'closed_amount_cash' => parse_decimals($this->request->getPost('closed_amount_cash')),
|
|
'closed_amount_due' => parse_decimals($this->request->getPost('closed_amount_due')),
|
|
'closed_amount_card' => parse_decimals($this->request->getPost('closed_amount_card')),
|
|
'closed_amount_check' => parse_decimals($this->request->getPost('closed_amount_check')),
|
|
'closed_amount_total' => parse_decimals($this->request->getPost('closed_amount_total')),
|
|
'note' => $this->request->getPost('note') != null,
|
|
'description' => $this->request->getPost('description', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'open_employee_id' => $this->request->getPost('open_employee_id', FILTER_SANITIZE_NUMBER_INT),
|
|
'close_employee_id' => $this->request->getPost('close_employee_id', FILTER_SANITIZE_NUMBER_INT),
|
|
'deleted' => $this->request->getPost('deleted') != null
|
|
];
|
|
|
|
if ($this->cashup->save_value($cash_up_data, $cashup_id)) {
|
|
// New cashup_id
|
|
if ($cashup_id == NEW_ENTRY) {
|
|
return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_adding'), 'id' => $cash_up_data['cashup_id']]);
|
|
} else { // Existing Cashup
|
|
return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_updating'), 'id' => $cashup_id]);
|
|
}
|
|
} else { // Failure
|
|
return $this->response->setJSON(['success' => false, 'message' => lang('Cashups.error_adding_updating'), 'id' => NEW_ENTRY]);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @return ResponseInterface
|
|
*/
|
|
public function postDelete(): ResponseInterface
|
|
{
|
|
$cash_ups_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
|
|
|
if ($this->cashup->delete_list($cash_ups_to_delete)) {
|
|
return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_deleted') . ' ' . count($cash_ups_to_delete) . ' ' . lang('Cashups.one_or_multiple'), 'ids' => $cash_ups_to_delete]);
|
|
} else {
|
|
return $this->response->setJSON(['success' => false, 'message' => lang('Cashups.cannot_be_deleted'), 'ids' => $cash_ups_to_delete]);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Calculate the total for cashups. Used in app\Views\cashups\form.php
|
|
*
|
|
* @return ResponseInterface
|
|
* @noinspection PhpUnused
|
|
*/
|
|
public function postAjax_cashup_total(): ResponseInterface
|
|
{
|
|
$open_amount_cash = parse_decimals($this->request->getPost('open_amount_cash'));
|
|
$transfer_amount_cash = parse_decimals($this->request->getPost('transfer_amount_cash'));
|
|
$closed_amount_cash = parse_decimals($this->request->getPost('closed_amount_cash'));
|
|
$closed_amount_due = parse_decimals($this->request->getPost('closed_amount_due'));
|
|
$closed_amount_card = parse_decimals($this->request->getPost('closed_amount_card'));
|
|
$closed_amount_check = parse_decimals($this->request->getPost('closed_amount_check'));
|
|
|
|
$total = $this->_calculate_total($open_amount_cash, $transfer_amount_cash, $closed_amount_due, $closed_amount_cash, $closed_amount_card, $closed_amount_check); // TODO: hungarian notation
|
|
|
|
return $this->response->setJSON(['total' => to_currency_no_money($total)]);
|
|
}
|
|
|
|
/**
|
|
* Calculate total
|
|
*/
|
|
private function _calculate_total(float $open_amount_cash, float $transfer_amount_cash, float $closed_amount_due, float $closed_amount_cash, float $closed_amount_card, $closed_amount_check): float // TODO: need to get rid of hungarian notation here. Also, the signature is pretty long. Perhaps they need to go into an object or array?
|
|
{
|
|
return ($closed_amount_cash - $open_amount_cash - $transfer_amount_cash + $closed_amount_due + $closed_amount_card + $closed_amount_check);
|
|
}
|
|
}
|