remco/Atomcms-edit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security, performance, and code quality issues across CMS

Browse Source 
Security:
- Replace unescaped {!! !!} with Purify::clean() in 15+ Blade templates (XSS)
- Add rate limiting to register (3/hr), upload (10/min), SSE (6/min)
- Add max:5000 validation on article comments
- Remove duplicate exception handler callback

Hardcoded paths:
- Replace ~44 /var/www/ hardcoded paths with env() configs
- CatalogService (13), AutoDetectService (18), Commandocentrum (11), AppServiceProvider (2)

Performance:
- Add 10 missing database indexes (radio_song_requests, help_center_tickets, etc.)
- Replace Cache::flush() with targeted Cache::forget() in RadioSettings
- Cache getCachedCategories() in TicketController (N+1 fix)
- Remove redundant top-3 leaderboard query

Bug fixes:
- Fix undefined $enabled variable → $isOnline in radio index view
- Add getAvatarAttribute() accessor for non-existent avatar column
- Fix User::guilds() from wrong HasMany to HasManyThrough

Code quality:
- Replace file_get_contents with Http::timeout(10) in TraxService
- Remove commented Echo/Pusher boilerplate in bootstrap.js
- Remove TODO/FIXME comments from logo-generator templates
- Replace hardcoded Turnstile CDN URL with config()
- Restore QUEUE_CONNECTION=redis in .env.example files
This commit is contained in:
root
2026-06-29 18:28:19 +02:00
parent ef0aec4301
commit f29ba72591
30 changed files with 407 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/api.php
+3 -3
View File
@@ -29,7 +29,7 @@ Route::prefix('auth')->group(function () {
Route::post('/login', [AuthController::class, 'login']);
Route::post('/logout', [AuthController::class, 'logout'])->middleware('auth:sanctum');
Route::get('/user', [AuthController::class, 'user'])->middleware('auth:sanctum');
Route::post('/register', [AuthController::class, 'register']);
Route::post('/register', [AuthController::class, 'register'])->middleware('throttle:register');
Route::put('/user', [AuthController::class, 'updateUser'])->middleware('auth:sanctum');
Route::put('/user/password', [AuthController::class, 'updatePassword'])->middleware('auth:sanctum');
});
@@ -81,7 +81,7 @@ Route::get('/radio/listeners', [RadioController::class, 'listeners'])->middlewar
Route::get('/radio/shouts', [RadioController::class, 'getShouts'])->middleware('throttle:100,1')->name('api.radio.shouts');
// Radio SSE (Server-Sent Events) stream
Route::get('/radio/sse', [\App\Http\Controllers\Radio\SseController::class, 'stream'])->name('api.radio.sse');
Route::get('/radio/sse', [\App\Http\Controllers\Radio\SseController::class, 'stream'])->middleware('throttle:sse')->name('api.radio.sse');
// Radio embed config
Route::get('/radio/embed/config', [\App\Http\Controllers\Radio\EmbedController::class, 'config'])->middleware('throttle:100,1')->name('api.radio.embed.config');
@@ -108,7 +108,7 @@ Route::post('/help/tickets', [HelpApiController::class, 'create'])->middleware('
Route::post('/help/tickets/{id}/reply', [HelpApiController::class, 'reply'])->middleware('auth:sanctum');
// Photo Upload
Route::post('/photos/upload', [MediaApiController::class, 'upload'])->middleware('auth:sanctum');
Route::post('/photos/upload', [MediaApiController::class, 'upload'])->middleware(['auth:sanctum', 'throttle:upload']);
// Shop Purchase
Route::post('/shop/packages/{packageId}/purchase', [ShopApiController::class, 'purchase'])->middleware('auth:sanctum');