feat(security): add session timeout + transaction wrapping (B1)
Session timeout: configurable idle (default 30min) and absolute (default 8h) timeouts via DB settings, enforced in web/index.php on every request. Timestamps set at login in action layer; graceful fallback for pre-existing sessions. Transaction wrapping: UserAccountService.createFromAdmin/register, roles create/edit, and permissions edit now wrap multi-step DB operations in transactions to guarantee atomicity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -50,7 +50,17 @@ if ($request->hasBody('description')) {
|
||||
$permissionIds = array_values(array_unique(array_map('intval', $permissionIds)));
|
||||
$createdId = (int) ($result['id'] ?? 0);
|
||||
if ($createdId > 0) {
|
||||
$rolePermissionRepository->replaceForRole($createdId, $permissionIds);
|
||||
$dbSession = app(\MintyPHP\Repository\Support\DatabaseSessionRepository::class);
|
||||
$dbSession->beginTransaction();
|
||||
try {
|
||||
$rolePermissionRepository->replaceForRole($createdId, $permissionIds);
|
||||
$dbSession->commitTransaction();
|
||||
} catch (\Throwable) {
|
||||
try {
|
||||
$dbSession->rollbackTransaction();
|
||||
} catch (\Throwable) {
|
||||
}
|
||||
}
|
||||
}
|
||||
$action = (string) $request->body('action', 'create');
|
||||
if ($action === 'create_close') {
|
||||
|
||||
Reference in New Issue
Block a user