Skip to content

Update/document editor#248

Merged
itshypax merged 21 commits into
mainfrom
update/document-editor
Mar 25, 2026
Merged

Update/document editor#248
itshypax merged 21 commits into
mainfrom
update/document-editor

Conversation

@itshypax

@itshypax itshypax commented Mar 25, 2026

Copy link
Copy Markdown
Collaborator

Note

Medium Risk
Introduces new document-template APIs for asset upload/deletion and layout versioning/preview (including PDF rendering), which touches file handling and server-side rendering paths. Risk is moderate due to potential security/performance implications around uploads, permissions, and PDF generation despite permission checks.

Overview
Adds a visual document template editor backend: new APIs to upload/list/delete template assets and to save/fetch/preview canvas-based layouts, plus a layout-versions endpoint to list and restore prior layout versions.

Updates document template saving to persist a new editor_type field and broadens error handling to catch \Throwable; api/documents/list.php now disables caching. Separately standardizes several Antrag pages’ root html language attribute from en to de, and adds design-context docs in .impeccable.md and CLAUDE.md.

Written by Cursor Bugbot for commit 7870cf6. This will update automatically on new commits. Configure here.

@itshypax
itshypax marked this pull request as ready for review March 25, 2026 21:49

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread api/documents/layout-versions.php Outdated

if (!Permissions::check(['admin', 'personnel.documents.manage'])) {
http_response_code(403);
echo json_encode(['error' => 'Keine Berechtigung']);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error responses missing success key causes silent failures

Medium Severity

The error responses in layout-versions.php return ['error' => ...] without a 'success' => false key, unlike every other API endpoint in the same directory which all use ['success' => false, 'error' => ...]. The frontend in toolbar.js checks data.success to detect errors. When success is missing (i.e., undefined), the GET handler shows "Keine Versionen vorhanden" instead of the real error, and the POST handler silently fails with the restore button stuck in a spinner state.

Additional Locations (1)
Fix in Cursor Fix in Web

Comment thread api/documents/asset-delete.php Outdated

try {
$input = json_decode(file_get_contents('php://input'), true);
$assetId = (int) ($input['id'] ?? $_GET['id'] ?? 0);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Delete endpoint accepts GET requests enabling CSRF

Medium Severity

The $_GET['id'] fallback in asset-delete.php allows asset deletion via GET requests. Since Permissions::check uses session cookies that browsers send automatically, an attacker could embed something like an image tag pointing to this endpoint with a target id, and any authenticated admin visiting that page would unknowingly trigger the deletion (CSRF). The legitimate frontend caller already uses POST with a JSON body.

Fix in Cursor Fix in Web

@github-actions

Copy link
Copy Markdown
Contributor

✅ Keine Fehler

Keine Probleme gefunden. 🎉

@itshypax
itshypax merged commit 995ea82 into main Mar 25, 2026
8 checks passed
@itshypax
itshypax deleted the update/document-editor branch March 25, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant