mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-04-04 23:24:16 -04:00
85c7ce2da4
* Fix business logic vulnerability allowing negative sale totals (GHSA-wv3j-pp8r-7q43) Add server-side validation in postEditItem() to reject negative prices, quantities, and discounts, as well as percentage discounts exceeding 100% and fixed discounts exceeding the item total. Also block sale completion with negative totals in non-return mode to prevent fraud/theft. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix: exempt return mode from negative quantity validation Return mode legitimately stores items with negative quantities. The quantity validation now skips the non-negative check in return mode, consistent with the existing return mode exemption in postComplete(). Also use abs() for fixed discount comparison to handle return quantities. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Refactor: use $rules + validate() pattern per review feedback Address review comments from jekkos on PR #4450: 1. Use CI4 $rules variable with custom non_negative_decimal validation rule instead of manual if-checks for price/discount validation. 2. Add validation error strings to all 44 non-English language files (English fallback values used until translations are contributed). 3. Use validate() method with $messages array for localized error display, maintaining the existing controller pattern. Additional improvements: - Add non_negative_decimal rule to OSPOSRules.php (leverages parse_decimals() for locale-aware decimal parsing) - Preserve manual checks for business logic (return mode quantity exemption, discount bounds via bccomp) - Fix PHP 8.1+ compatibility: avoid passing method return to reset() - Explicit empty discount handling for bc-math safety Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix: rename to nonNegativeDecimal (PSR), clear non-English translation strings - Rename validation rule method non_negative_decimal → nonNegativeDecimal in OSPOSRules.php and all $rules/$messages references in Sales.php (PSR naming per @objecttothis review) - Replace English fallback text with "" in 43 non-English language files so CI4 falls back to the base language string; weblate will handle translations (per @jekkos and @objecttothis agreement) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Paul <morimori-dev@github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: objecttothis <17935339+objecttothis@users.noreply.github.com>