Security hardening and performance improvements

- Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 20:27:15 -05:00
parent a08390a500
commit fa40010287
17 changed files with 457 additions and 128 deletions
--- a/views/admin/CustomFieldsView.php
+++ b/views/admin/CustomFieldsView.php
@@ -1,6 +1,9 @@
 <?php
 // Admin view for managing custom fields
 // Receives $customFields from controller
+require_once __DIR__ . '/../../middleware/SecurityHeadersMiddleware.php';
+require_once __DIR__ . '/../../middleware/CsrfMiddleware.php';
+$nonce = SecurityHeadersMiddleware::getNonce();
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -11,11 +14,8 @@
    <link rel="icon" type="image/png" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/images/favicon.png">
    <link rel="stylesheet" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/css/dashboard.css">
    <link rel="stylesheet" href="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/css/ticket.css">
-    <script>
-        window.CSRF_TOKEN = '<?php
-            require_once __DIR__ . '/../../middleware/CsrfMiddleware.php';
-            echo CsrfMiddleware::getToken();
-        ?>';
+    <script nonce="<?php echo $nonce; ?>">
+        window.CSRF_TOKEN = '<?php echo CsrfMiddleware::getToken(); ?>';
    </script>
 </head>
 <body>
@@ -154,8 +154,8 @@
        </div>
    </div>

-    <script src="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/js/toast.js"></script>
-    <script>
+    <script nonce="<?php echo $nonce; ?>" src="<?php echo $GLOBALS['config']['ASSETS_URL']; ?>/js/toast.js"></script>
+    <script nonce="<?php echo $nonce; ?>">
        function showCreateModal() {
            document.getElementById('modalTitle').textContent = 'Create Custom Field';
            document.getElementById('fieldForm').reset();