Update/document editor#248
Conversation
…ate/document-editor
…duction - Added missing require/use statements for database, Permissions, and TemplateLayoutManager in layout-versions.php - Wrapped stacktrace output in layout-preview.php behind APP_DEBUG flag Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
|
|
||
| if (!Permissions::check(['admin', 'personnel.documents.manage'])) { | ||
| http_response_code(403); | ||
| echo json_encode(['error' => 'Keine Berechtigung']); |
There was a problem hiding this comment.
Error responses missing success key causes silent failures
Medium Severity
The error responses in layout-versions.php return ['error' => ...] without a 'success' => false key, unlike every other API endpoint in the same directory which all use ['success' => false, 'error' => ...]. The frontend in toolbar.js checks data.success to detect errors. When success is missing (i.e., undefined), the GET handler shows "Keine Versionen vorhanden" instead of the real error, and the POST handler silently fails with the restore button stuck in a spinner state.
Additional Locations (1)
|
|
||
| try { | ||
| $input = json_decode(file_get_contents('php://input'), true); | ||
| $assetId = (int) ($input['id'] ?? $_GET['id'] ?? 0); |
There was a problem hiding this comment.
Delete endpoint accepts GET requests enabling CSRF
Medium Severity
The $_GET['id'] fallback in asset-delete.php allows asset deletion via GET requests. Since Permissions::check uses session cookies that browsers send automatically, an attacker could embed something like an image tag pointing to this endpoint with a target id, and any authenticated admin visiting that page would unknowingly trigger the deletion (CSRF). The legitimate frontend caller already uses POST with a JSON body.
✅ Keine FehlerKeine Probleme gefunden. 🎉 |


Note
Medium Risk
Introduces new document-template APIs for asset upload/deletion and layout versioning/preview (including PDF rendering), which touches file handling and server-side rendering paths. Risk is moderate due to potential security/performance implications around uploads, permissions, and PDF generation despite permission checks.
Overview
Adds a visual document template editor backend: new APIs to upload/list/delete template assets and to save/fetch/preview canvas-based layouts, plus a
layout-versionsendpoint to list and restore prior layout versions.Updates document template saving to persist a new
editor_typefield and broadens error handling to catch\Throwable;api/documents/list.phpnow disables caching. Separately standardizes several Antrag pages’ roothtmllanguage attribute fromentode, and adds design-context docs in.impeccable.mdandCLAUDE.md.Written by Cursor Bugbot for commit 7870cf6. This will update automatically on new commits. Configure here.