Commit Graph

17 Commits

Author SHA1 Message Date
d1da560764 fix: sync CSS classes with refactored layout, restore missing sidebar items, add asset versioning, fix routes and auth 2026-06-14 08:54:37 -04:00
c9ab2ca98b fix: correct asset paths in layout - app.css->style.css, favicon.svg->server.svg 2026-06-14 08:09:06 -04:00
88f3c1f964 refactor: extract inline CSS/JS from views into separate asset files (20+ files)
Phase A — HTML removed from PHP files:
- RateLimitMiddleware.php: heredoc moved to views/errors/429.php
- public/index.php: inline HTML replaced with View::error()
- AuthMiddleware.php: <script> redirect replaced with <meta refresh>

Phase B — Inline CSS/JS extracted from views:
- CSS: landing.css (459 lines), legal.css (shared by terms+privacy)
- JS: 17 new files extracted from ~20 view files
  - main.js (layout sidebar + notifications)
  - dashboard-chart.js, server-show.js, server-services.js
  - nginx-manager.js, database-manager.js
  - terminal.js, team-show.js, team-index.js
  - server-list.js, server-permissions.js (shared by edit+create)
  - server-ssl.js, server-processes.js, system-users.js
  - admin-users.js, audit-log.js, admin-notifications.js, admin-security.js
  - notifications.js

Total: -3264 lines from views, +288 lines in new assets
2026-06-14 08:04:01 -04:00
a5eb101d98 security: fix auth bypass, XSS, IDOR, command injection, session hardening, rate limiting
- Phase 1: Require authentication for API register endpoint; restrict role creation
- Phase 2: Add $fillable whitelist to Server model to prevent mass assignment
- Phase 3: Fix XSS via escapeHtml in sidebar, JSON_HEX_TAG in script embeds
- Phase 4: Add canView() checks to TerminalController history/clearHistory
- Phase 5: escapeshellarg() on certbot params, sanitize service names, regex-based command blocklist, suppress exception messages
- Phase 6: SESSION_SECURE=true, SameSite=Strict, logout via POST+CSRF, chmod 640 .env
- Phase 7: DB-based rate limiting replacing session-based, applied to API login/register
2026-06-14 07:32:18 -04:00
b05c1120f0 feat: add privacy policy, terms, and animated landing page 2026-06-13 21:33:42 -04:00
045f33bbc1 fix: use server-side time_ago for notification timestamps 2026-06-13 16:56:43 -04:00
e1b6650454 feat: notification dropdown panel and /notifications page 2026-06-13 16:48:05 -04:00
25dfb517ee feat: notification bell with modal showing 10 latest notifications 2026-06-13 16:41:56 -04:00
53e9b92a8d feat: admin app version mgmt + notification system
- New tables: app_config, notifications
- Admin views: App Version editor, Notification sender
- API: GET /api/notifications, POST /api/notifications/:id/read, POST /api/notifications/read-all
- App version now stored in DB, editable by super admin
- Notifications: send to all users or specific user
- Android notification models + API client
- Sidebar: App Version + Notifications links for super_admin
2026-06-09 17:06:22 -04:00
b613e43ab3 feat: redesign Android app with animations, charts, profile, and registration
- Register screen with validation (username, email, password, confirm)
- Profile screen with email editing and password change
- User greeting on dashboard showing logged-in username
- 401 auto-logout via SessionManager + AuthInterceptor
- MetricsChart with Canvas line graphs (CPU, RAM, Disk)
- Animated StatCard with counters and icons
- ServerCard with progress bars, pulsating status dot, dynamic elevation
- Shimmer loading placeholders
- Dark mode support with Material3
- Navigation transitions (slide + fade)
- New server rack launcher icon
- Splash screen
- Backend API: register, profile (GET/PUT) endpoints
2026-06-09 16:38:04 -04:00
c45354db11 Fix theme toggle (add light theme CSS) and improve mobile sidebar usability 2026-06-07 13:02:31 -04:00
5b13518672 Refactor sidebar: use is_super_admin/is_admin helpers, restrict Users/Audit/Security to super_admin only 2026-06-07 07:36:34 -04:00
016584e907 Restrict Users, Audit Logs, Security routes to super_admin only
- Sidebar: Users, Audit Logs and Security now only visible to super_admin
- AdminController: requireSuperAdmin() check on users() and auditLogs()
- AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints
- securitySettings() already had the check in place
2026-06-07 07:34:16 -04:00
58be111745 Fix: wrap entire Administration section in admin+ check to prevent Security leak for operators 2026-06-07 07:31:34 -04:00
5607a3e507 Replace old team system with work teams (equipos de trabajo)
- New migration 003_teams.sql: teams, team_user, team_server tables
- New Team model with CRUD, members, and server assignment
- New TeamController with full team management
- New views: teams/index, teams/create, teams/show
- Server model: getUserRole and getAccessibleServerIds now include team-based access
- Sidebar: Teams link under Administration (admin+ only)
- Routes: old /team routes removed, new /teams routes added
- Removed old ServerController team methods and views
- Fixed sidebar empty accessible IDs returning all servers
- Fixed dashboard and API to show empty when no accessible servers
2026-06-07 07:08:26 -04:00
5f5de248c6 Add server ownership, team access, role-based UI, and default admin role
- New migration 002_server_access.sql: created_by column + server_user table
- Server model: ownership, permission checks, team management methods
- Routes: /team routes, RoleMiddleware on /servers/create and /admin
- ServerController: permission checks via server_user, team CRUD methods
- TerminalController: server access checks
- DashboardController: filter servers by accessible ones
- ApiController: server access checks
- Views: team.php, team_server.php, sidebar Team link, hide actions by role
- Default user role changed from operator to admin on registration
- Admin user form defaults to admin role
2026-06-07 06:49:12 -04:00
c3009fbbf7 Add views directory and UI improvements
- Add all view templates (servers, auth, dashboard, admin, layouts, errors, terminal)
- Fix SSH double decryption bug in SSHService
- Fix router parameter type casting for strict_types
- Add missing error views (401, 403, 404)
- Add nginx manager with file editing
- Add SSL certificates management
- Add database manager with phpMyAdmin-like interface
- Add sidebar server accordion
2026-06-06 17:59:13 -04:00