60c27e50cb
chore: snapshot notifications hardening and css/docs alignment
2026-03-20 00:05:03 +01:00
c7b8fd516a
feat: extend module platform with UI slots, runtime components, CLI tooling and {{userId}} search support
...
Completes the generic module platform that enables modules to contribute
UI elements, runtime JS components, and search resources without any
core hardcoding.
New generic UI slot types:
- topbar.right_item: module-contributed topbar buttons
- layout.body_end_template: module-contributed dialog/overlay templates
- layout.head_style: module-contributed global CSS
- runtime.component: declarative JS component registration with phase ordering
New infrastructure:
- ModuleAutoloader: PSR-4 autoloading for module-local PHP classes
- ModuleRuntimePageBuilder: symlinks module pages into runtime directory
- ModuleRuntimeAssetPublisher: publishes module CSS/JS to web/modules/
- ModulePermissionSynchronizer: syncs module permissions to DB
- CLI scripts: module-runtime-sync, module-build, module-migrate,
module-permissions-sync, module-assets-sync
- {{userId}} placeholder in SearchDataService for user-scoped search queries
- Component runtime with phased initialization (early/default/late)
- AppContainer.protectExistingBindings() to prevent module→core overwrites
- Architecture tests: ModuleStructureContractTest, CoreTemplateIsolationTest,
FrontendComponentRuntimeContractTest, AppContainerIsolationContractTest
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-18 22:19:56 +01:00
921977bdd3
create without tab storage local
2026-03-14 16:08:19 +01:00
aaea038619
assign role roles
2026-03-13 21:11:48 +01:00
ad8f30cb09
feat(security): add Content-Security-Policy headers with strict script-src
...
Eliminate all inline scripts to enable script-src 'self' without
'unsafe-inline', providing strong XSS mitigation via CSP.
Inline script removal:
- login.phtml: replace inline APP_ASSET_BASE with data-asset-base
attribute + app-boot.js (matching default.phtml pattern)
- api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js
- docs: extract checkbox enablement to js/pages/admin-docs-index.js
- language-switcher: replace onchange handler with data-auto-submit
attribute + js/components/app-auto-submit.js event listener
CSP policy (dev + prod nginx):
default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline';
img-src 'self' data:; font-src 'self'; connect-src 'self';
form-action 'self'; base-uri 'self'; frame-ancestors 'none';
manifest-src 'self'
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-13 19:24:10 +01:00
04995e3712
feat(session): preserve intended URL across session timeout and add expiry warning dialog
...
When a session expires, the user's current URL is now captured and restored
after re-authentication (via remember-me cookie or manual login), instead of
always redirecting to the dashboard. A JavaScript session warning dialog
appears ~2 minutes before idle timeout, allowing users to extend their session
with a single click. Includes open-redirect prevention via URL validation,
Microsoft SSO callback support, and 33 unit tests.
Refs: SESSION-REDIRECT-PRESERVE-001
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-13 14:28:49 +01:00
010690de19
refactor(actions): deduplicate audit metadata and grid user count enrichment
2026-03-13 12:05:11 +01:00
892da0048d
refactor(arch): enforce gateway compliance and remove service-wrapping gateways
2026-03-13 11:31:33 +01:00
082fa4c9a5
empty states
2026-03-13 09:49:11 +01:00
cb7256aebc
variablen und empty states
2026-03-12 16:47:53 +01:00
0b9014dcbf
page update
2026-03-12 14:09:06 +01:00
17a72af5f2
guard permission fix
2026-03-12 13:01:06 +01:00
eb748b2fa4
setting UI/UX
2026-03-12 12:11:31 +01:00
24a6b79f7a
Fix tenant SSO status mode and refactor status UI tiles
2026-03-12 10:01:24 +01:00
e9f73bc96a
ui changes and role switch added
2026-03-12 09:41:18 +01:00
277168f7e8
feat(admin): preserve list return target for back and close actions
2026-03-11 23:32:11 +01:00
71b2d4a696
Extend users detail empty states to remaining non-list areas
2026-03-11 22:05:03 +01:00
4885135849
Adopt global empty-state for remaining user form empties
2026-03-11 21:42:43 +01:00
a1c7c9cf7d
Standardize global empty-state UI component
2026-03-11 21:38:15 +01:00
964c07a9de
feat(auth): add microsoft auto-remember policy with tenant override and configurable remember TTL
2026-03-10 22:48:10 +01:00
fd90065048
fix(security): add CSRF protection to all POST endpoints + contract tests (B2)
...
CSRF guards added to 16 admin pages that previously accepted POST requests
without token verification (GR-SEC-001): departments, permissions, roles,
settings, tenants, users (create/edit/bulk/tokens), and lang switch.
New contract tests:
- PostEndpointCsrfContractTest: scans all pages/ for POST handlers and
verifies checkCsrfToken is present (API/data endpoints exempt).
- DatabaseUpdatesContractTest: validates db/updates/ scripts follow naming
convention and use idempotent SQL patterns (GR-CORE-010).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-10 15:40:07 +01:00
6286ec4179
settings ui/ux optimization
2026-03-09 22:29:45 +01:00
1b872f145c
added details card component
2026-03-09 21:57:52 +01:00
af8ee10930
feat(auth): keep remember tokens on session timeout
...
- add timeout-specific logout path without remember-token revocation
- reset session timers after remember-me auto login
- compact session policy wording in admin settings (DE/EN)
- extend auth tests for timeout/manual logout behavior
2026-03-09 20:47:21 +01:00
792af5a532
feat(settings): add admin session policy management
2026-03-09 20:07:55 +01:00
01c05d997f
fix(security): enforce atomic role/permission writes and user assignment rollback
2026-03-09 19:54:58 +01:00
11ca546eae
feat(security): add session timeout + transaction wrapping (B1)
...
Session timeout: configurable idle (default 30min) and absolute (default 8h)
timeouts via DB settings, enforced in web/index.php on every request.
Timestamps set at login in action layer; graceful fallback for pre-existing
sessions.
Transaction wrapping: UserAccountService.createFromAdmin/register, roles
create/edit, and permissions edit now wrap multi-step DB operations in
transactions to guarantee atomicity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-09 19:16:26 +01:00
fb6f87374f
fix(theme): stabilize tenant switch theme propagation and toggle race handling
...
Task: REVIEW-USER-THEME-001
2026-03-07 20:14:29 +01:00
549d9dd6f4
test(auth): add 33 unit tests for AuthService and RememberMeService
...
AuthServiceTest (17 tests): canLoginToTenant, refreshSessionAuthState,
loginUserById, login email-not-verified branch.
RememberMeServiceTest (16 tests): rememberUser, autoLoginFromCookie
(all 11 branches), forgetCurrentUser, forgetAllForUser,
expireAllTokensByAdmin.
Also fixes: 3 PHPStan errors in FrontendTelemetryIngestService,
8 CS-Fixer violations in out-of-scope files (ordered_imports,
braces_position).
All quality gates green: QG-001 (429 tests/0 failures),
QG-002 (0 errors), QG-003 (11 arch tests pass), QG-006 (0 violations).
Task: AUTH-LOGIN-REVIEW-001
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-06 11:43:31 +01:00
205da203cc
refactor(pages): replace superglobals with request/session abstractions
2026-03-06 11:28:22 +01:00
9a08f96c11
agent foundation
2026-03-06 00:44:52 +01:00
c5f657c8c8
listen ansichten verbessert
2026-03-05 11:17:42 +01:00
4b31fc7664
Repo Interface für tests
2026-03-05 08:26:51 +01:00
8f4dd5840d
major update
2026-03-04 15:56:58 +01:00
16759a2732
weitere updates für instanzierbarkeit und sauberes testing
2026-02-24 08:49:40 +01:00
7b53faca37
bisschen tests fixen
2026-02-23 16:00:04 +01:00
99db252f60
instances added god may help
2026-02-23 12:58:19 +01:00
25370a1a55
add composer-unused, comprehensive docs, and project restructure
...
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-02-22 15:27:35 +01:00
3eb9cc0ac4
big restructure
2026-02-11 19:28:12 +01:00
cd59ccd99b
baseline
2026-02-04 23:31:53 +01:00