mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-10 03:00:09 -04:00
ca6a1b35af
* fix(security): add row-level authorization to password change endpoints - Prevents non-admin users from viewing other users' password forms - Prevents non-admin users from changing other users' passwords - Uses can_modify_employee() check consistent with Employees controller fix - Addresses BOLA vulnerability in Home controller (GHSA-q58g-gg7v-f9rf) * test(security): add BOLA authorization tests for Home controller - Test non-admin cannot view/change admin password - Test user can view/change own password - Test admin can view/change any password - Test default employee_id uses current user - Add JUnit test result upload to CI workflow * refactor: apply PSR-12 naming and add DEFAULT_EMPLOYEE_ID constant - Add DEFAULT_EMPLOYEE_ID constant to Constants.php - Rename variables to follow PSR-12 camelCase convention - Use ternary for default employee ID assignment * refactor: use NEW_ENTRY constant instead of adding DEFAULT_EMPLOYEE_ID Reuse existing NEW_ENTRY constant for default employee ID parameter. Avoids adding redundant constants to Constants.php with same value (-1). --------- Co-authored-by: jekkos <jeroen@steganos.dev>
13 KiB
13 KiB