]>
gitweb.erp-flowers.ru Git - erp24_rep/yii-erp24/.git/commit
fix: review fixes — security, async conversion, CDN→local, tests rewrite
Code review (39 findings) fixes:
CRITICAL:
- CDN Plyr.js → local /js/plyr.min.js, /css/plyr.min.css
- Sync exec('ffmpeg') → async ConvertVideoToMp4Job (RabbitMQ)
- 2>/dev/null → 2>&1 + error logging in FFmpeg commands
- Add ALLOWED_UPLOAD_EXTENSIONS whitelist (block .php, .sh, .exe)
- Rewrite tests: regex→real method calls (AAA pattern)
HIGH:
- IDOR fix in actionDeleteVideo (getAllowedStoreId check)
- Add delete-video to VerbFilter (POST only)
- Case-insensitive switch: switch($extension) via strtolower()
- File size limit (200MB) and disk space check in job
- Inline styles → CSS classes in write-offs-erp.css
- XSS: validate URL scheme (only relative paths)
MEDIUM:
- FFmpeg timeout 300s wrapper
- Plyr fallback: if (typeof Plyr === 'undefined') return
- Emoji → glyphicon in AVI download card
New files:
- erp24/jobs/ConvertVideoToMp4Job.php
- erp24/tests/unit/jobs/ConvertVideoToMp4JobTest.php
- erp24/tests/unit/controllers/WriteOffsErpControllerSecurityTest.php
- erp24/docs/plans/002-write-offs-erp-video-v2.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
projects / erp24_rep / yii-erp24 / .git / commit