mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-07 16:47:03 -05:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
221 lines
9.1 KiB
PHP
221 lines
9.1 KiB
PHP
<?php
|
|
|
|
namespace App\Controllers;
|
|
|
|
use App\Models\Module;
|
|
use CodeIgniter\HTTP\ResponseInterface;
|
|
use Config\Services;
|
|
|
|
/**
|
|
*
|
|
*
|
|
* @property module module
|
|
*
|
|
*/
|
|
class Employees extends Persons
|
|
{
|
|
public function __construct()
|
|
{
|
|
parent::__construct('employees');
|
|
|
|
$this->module = model('Module');
|
|
}
|
|
|
|
/**
|
|
* Returns employee table data rows. This will be called with AJAX.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function getSearch(): ResponseInterface
|
|
{
|
|
$search = $this->request->getGet('search');
|
|
$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
|
|
$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
|
|
$sort = $this->sanitizeSortColumn(person_headers(), $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS), 'people.person_id');
|
|
$order = $this->request->getGet('order', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
|
|
|
$employees = $this->employee->search($search, $limit, $offset, $sort, $order);
|
|
$total_rows = $this->employee->get_found_rows($search);
|
|
|
|
$data_rows = [];
|
|
foreach ($employees->getResult() as $person) {
|
|
$data_rows[] = get_person_data_row($person);
|
|
}
|
|
|
|
return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
|
|
}
|
|
|
|
/**
|
|
* AJAX called function gives search suggestions based on what is being searched for.
|
|
*
|
|
* @return ResponseInterface
|
|
*/
|
|
public function getSuggest(): ResponseInterface
|
|
{
|
|
$search = $this->request->getGet('term');
|
|
$suggestions = $this->employee->get_search_suggestions($search, 25, true);
|
|
|
|
return $this->response->setJSON($suggestions);
|
|
}
|
|
|
|
/**
|
|
* @return ResponseInterface
|
|
*/
|
|
public function suggest_search(): ResponseInterface
|
|
{
|
|
$search = $this->request->getPost('term');
|
|
$suggestions = $this->employee->get_search_suggestions($search);
|
|
|
|
return $this->response->setJSON($suggestions);
|
|
}
|
|
|
|
/**
|
|
* Loads the employee edit form
|
|
* @return string
|
|
*/
|
|
public function getView(int $employee_id = NEW_ENTRY): string
|
|
{
|
|
$person_info = $this->employee->get_info($employee_id);
|
|
foreach (get_object_vars($person_info) as $property => $value) {
|
|
$person_info->$property = $value;
|
|
}
|
|
$data['person_info'] = $person_info;
|
|
$data['employee_id'] = $employee_id;
|
|
|
|
$modules = [];
|
|
foreach ($this->module->get_all_modules()->getResult() as $module) {
|
|
$module->grant = $this->employee->has_grant($module->module_id, $person_info->person_id);
|
|
$module->menu_group = $this->employee->get_menu_group($module->module_id, $person_info->person_id);
|
|
|
|
$modules[] = $module;
|
|
}
|
|
$data['all_modules'] = $modules;
|
|
|
|
$permissions = [];
|
|
foreach ($this->module->get_all_subpermissions()->getResult() as $permission) { // TODO: subpermissions does not follow naming standards.
|
|
$permission->permission_id = str_replace(' ', '_', $permission->permission_id);
|
|
$permission->grant = $this->employee->has_grant($permission->permission_id, $person_info->person_id);
|
|
|
|
$permissions[] = $permission;
|
|
}
|
|
$data['all_subpermissions'] = $permissions;
|
|
|
|
return view('employees/form', $data);
|
|
}
|
|
|
|
/**
|
|
* Inserts/updates an employee
|
|
* @return ResponseInterface
|
|
*/
|
|
public function postSave(int $employee_id = NEW_ENTRY): ResponseInterface
|
|
{
|
|
$first_name = $this->request->getPost('first_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // TODO: duplicated code
|
|
$last_name = $this->request->getPost('last_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
|
$email = strtolower($this->request->getPost('email', FILTER_SANITIZE_EMAIL));
|
|
|
|
// format first and last name properly
|
|
$first_name = $this->nameize($first_name);
|
|
$last_name = $this->nameize($last_name);
|
|
|
|
$person_data = [
|
|
'first_name' => $first_name,
|
|
'last_name' => $last_name,
|
|
'gender' => $this->request->getPost('gender', FILTER_SANITIZE_NUMBER_INT),
|
|
'email' => $email,
|
|
'phone_number' => $this->request->getPost('phone_number', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'address_1' => $this->request->getPost('address_1', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'address_2' => $this->request->getPost('address_2', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'city' => $this->request->getPost('city', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'state' => $this->request->getPost('state', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'zip' => $this->request->getPost('zip', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'country' => $this->request->getPost('country', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'comments' => $this->request->getPost('comments', FILTER_SANITIZE_FULL_SPECIAL_CHARS)
|
|
];
|
|
|
|
$grants_array = [];
|
|
foreach ($this->module->get_all_permissions()->getResult() as $permission) {
|
|
$grants = [];
|
|
$grant = $this->request->getPost('grant_' . $permission->permission_id) != null ? $this->request->getPost('grant_' . $permission->permission_id, FILTER_SANITIZE_FULL_SPECIAL_CHARS) : '';
|
|
|
|
if ($grant == $permission->permission_id) {
|
|
$grants['permission_id'] = $permission->permission_id;
|
|
$grants['menu_group'] = $this->request->getPost('menu_group_' . $permission->permission_id) != null ? $this->request->getPost('menu_group_' . $permission->permission_id, FILTER_SANITIZE_FULL_SPECIAL_CHARS) : '--';
|
|
$grants_array[] = $grants;
|
|
}
|
|
}
|
|
|
|
// Password has been changed OR first time password set
|
|
if (!empty($this->request->getPost('password')) && ENVIRONMENT != 'testing') {
|
|
$exploded = explode(":", $this->request->getPost('language', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
|
|
$employee_data = [
|
|
'username' => $this->request->getPost('username', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'password' => password_hash($this->request->getPost('password'), PASSWORD_DEFAULT),
|
|
'hash_version' => 2,
|
|
'language_code' => $exploded[0],
|
|
'language' => $exploded[1]
|
|
];
|
|
} else { // Password not changed
|
|
$exploded = explode(":", $this->request->getPost('language', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
|
|
$employee_data = [
|
|
'username' => $this->request->getPost('username', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
|
|
'language_code' => $exploded[0],
|
|
'language' => $exploded[1]
|
|
];
|
|
}
|
|
|
|
if ($this->employee->save_employee($person_data, $employee_data, $grants_array, $employee_id)) {
|
|
// New employee
|
|
if ($employee_id == NEW_ENTRY) {
|
|
return $this->response->setJSON([
|
|
'success' => true,
|
|
'message' => lang('Employees.successful_adding') . ' ' . $first_name . ' ' . $last_name,
|
|
'id' => $employee_data['person_id']
|
|
]);
|
|
} else { // Existing employee
|
|
return $this->response->setJSON([
|
|
'success' => true,
|
|
'message' => lang('Employees.successful_updating') . ' ' . $first_name . ' ' . $last_name,
|
|
'id' => $employee_id
|
|
]);
|
|
}
|
|
} else { // Failure
|
|
return $this->response->setJSON([
|
|
'success' => false,
|
|
'message' => lang('Employees.error_adding_updating') . ' ' . $first_name . ' ' . $last_name,
|
|
'id' => NEW_ENTRY
|
|
]);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This deletes employees from the employees table
|
|
* @return ResponseInterface
|
|
*/
|
|
public function postDelete(): ResponseInterface
|
|
{
|
|
$employees_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
|
|
|
if ($this->employee->delete_list($employees_to_delete)) { // TODO: this is passing a string, but delete_list expects an array
|
|
return $this->response->setJSON([
|
|
'success' => true,
|
|
'message' => lang('Employees.successful_deleted') . ' ' . count($employees_to_delete) . ' ' . lang('Employees.one_or_multiple')
|
|
]);
|
|
} else {
|
|
return $this->response->setJSON(['success' => false, 'message' => lang('Employees.cannot_be_deleted')]);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Checks an employee username against the database. Used in app\Views\employees\form.php
|
|
*
|
|
* @param $employee_id
|
|
* @return ResponseInterface
|
|
* @noinspection PhpUnused
|
|
*/
|
|
public function getCheckUsername($employee_id): ResponseInterface
|
|
{
|
|
$exists = $this->employee->username_exists($employee_id, $this->request->getGet('username'));
|
|
return $this->response->setJSON(!$exists ? 'true' : 'false');
|
|
}
|
|
}
|