fix api security issues and update pages issue

This commit is contained in:
root
2026-06-04 16:41:19 -04:00
parent feb6be0610
commit 5e5fe3794a
32 changed files with 1628 additions and 37 deletions
BIN
View File
Binary file not shown.
@@ -6,6 +6,8 @@ use App\Http\Controllers\Api\Core\BaseApiController;
use App\Http\Requests\Roles\RoleSwitchRequest;
use App\Services\Roles\RoleSwitchService;
use Illuminate\Http\JsonResponse;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpFoundation\Response;
class RoleSwitcherController extends BaseApiController
@@ -40,7 +42,13 @@ class RoleSwitcherController extends BaseApiController
}
$role = (string) $request->validated()['role'];
$route = $this->switchService->switchRole($role);
try {
$route = $this->switchService->switchRole($guard, $role);
} catch (AccessDeniedHttpException $e) {
return $this->error($e->getMessage(), Response::HTTP_FORBIDDEN);
} catch (NotFoundHttpException $e) {
return $this->error($e->getMessage(), Response::HTTP_NOT_FOUND);
}
return $this->success([
'role' => $role,
@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Api\Grading;
use App\Http\Controllers\Api\Core\BaseApiController;
use App\Http\Requests\Grading\BelowSixtyEmailRequest;
use App\Http\Requests\Grading\AllDecisionsRequest;
use App\Http\Requests\Grading\BelowSixtyDecisionDetailsRequest;
use App\Http\Requests\Grading\BelowSixtyDecisionListRequest;
use App\Http\Requests\Grading\BelowSixtyDecisionSaveRequest;
@@ -13,6 +14,7 @@ use App\Http\Requests\Grading\BelowSixtyMeetingSaveRequest;
use App\Http\Requests\Grading\BelowSixtySendRequest;
use App\Http\Requests\Grading\BelowSixtyStatusRequest;
use App\Http\Requests\Grading\BelowSixtyListRequest;
use App\Http\Requests\Grading\GenerateAllDecisionsRequest;
use App\Http\Requests\Grading\GradingLockAllRequest;
use App\Http\Requests\Grading\GradingLockRequest;
use App\Http\Requests\Grading\GradingOverviewRequest;
@@ -316,6 +318,27 @@ class GradingController extends BaseApiController
return response()->json(['ok' => true] + $data);
}
public function allDecisions(AllDecisionsRequest $request): JsonResponse
{
$payload = $request->validated();
$data = $this->belowSixtyService->listAllDecisions((string) $payload['school_year']);
return response()->json(['ok' => true] + $data);
}
public function generateAllDecisions(GenerateAllDecisionsRequest $request): JsonResponse
{
$userId = $this->authenticatedUserIdOrUnauthorized();
if ($userId instanceof JsonResponse) {
return $userId;
}
$payload = $request->validated();
$count = $this->belowSixtyService->generateAllDecisions((string) $payload['school_year'], $userId);
return response()->json(['ok' => true, 'saved_count' => $count]);
}
public function belowSixtyDecisions(BelowSixtyDecisionListRequest $request): JsonResponse
{
$payload = $request->validated();
@@ -47,7 +47,7 @@ class PrintRequestsController extends BaseApiController
}
$validator = Validator::make($request->all(), [
'file' => ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt'],
'file' => ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt', 'mimetypes:application/pdf,image/jpeg,image/png,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document'],
'page_selection' => ['nullable', 'string', 'regex:/^\s*\d+(?:\s*-\s*\d+)?(?:\s*,\s*\d+(?:\s*-\s*\d+)?)*\s*$/'],
'num_copies' => ['required', 'integer', 'min:1'],
'required_by' => ['required', 'date'],
@@ -97,7 +97,7 @@ class PrintRequestsController extends BaseApiController
];
if ($request->hasFile('file') && $request->file('file')->isValid()) {
$rules['file'] = ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt'];
$rules['file'] = ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt', 'mimetypes:application/pdf,image/jpeg,image/png,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document'];
}
$validator = Validator::make($request->all(), $rules);
@@ -5,6 +5,8 @@ namespace App\Http\Controllers\Api;
use App\Http\Requests\Roles\RoleSwitchRequest;
use App\Services\Roles\RoleSwitchService;
use Illuminate\Http\JsonResponse;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpFoundation\Response;
class RoleSwitcherController extends BaseApiController
@@ -33,8 +35,19 @@ class RoleSwitcherController extends BaseApiController
public function switch(RoleSwitchRequest $request): JsonResponse
{
$userId = (int) (auth()->id() ?? 0);
if ($userId <= 0) {
return $this->error('Please log in first.', Response::HTTP_UNAUTHORIZED);
}
$role = (string) $request->validated()['role'];
$route = $this->switchService->switchRole($role);
try {
$route = $this->switchService->switchRole($userId, $role);
} catch (AccessDeniedHttpException $e) {
return $this->error($e->getMessage(), Response::HTTP_FORBIDDEN);
} catch (NotFoundHttpException $e) {
return $this->error($e->getMessage(), Response::HTTP_NOT_FOUND);
}
return $this->success([
'role' => $role,