Go to file

Joel Wedemire 652829ab90 fix: bootstrap blocker + 4 security bugs

- Bootstrap (critical): settings/create/index no longer 403 on fresh install.
  Site admins (admin/super_admin) can access settings when 0 groups exist.
  First group creation seeds default priorities (Low/Medium/High/Urgent).
  Index shows friendly first-run splash. Create shows warning + settings link.

- Internal notes leak (high): submitters can no longer receive is_internal
  messages via ticket show, index detail panel, or any Inertia prop.
  filterMessagesForRole() strips internal notes for non-agents.

- Arbitrary assignee (med/high): update() now validates assigned_to against
  actual agent-access users for the ticket's group server-side.

- Cross-group priority/project forgery (medium): store() and update() now
  verify priority_id and project_id belong to the ticket's own group (or
  are global for priorities).

- Foreign message_id on attachment upload (medium): message_id is now
  validated to belong to the current ticket, not just any message row.

2026-04-08 18:31:51 -07:00

database/migrations

feat: full dashboard-ticketing scaffold with data model, controllers, Vue pages

2026-04-08 17:10:30 -07:00

resources/js/Pages/Ticketing

fix: bootstrap blocker + 4 security bugs

2026-04-08 18:31:51 -07:00

src

fix: bootstrap blocker + 4 security bugs

2026-04-08 18:31:51 -07:00

composer.json

fix: orWhereIn typo; broaden illuminate/support and inertia-laravel version constraints

2026-04-08 17:16:29 -07:00

README.md

initial commit

2026-04-08 14:12:03 -07:00