a2a9423ad6
- Replace orderByRaw with parameterised CASE statements - Add Task::scopeOrderByPriority() and scopeOrderByStatus() - Add AgentPlan::scopeOrderByStatus() - Add workspace validation to StateSet, StateGet, StateList tools - Add workspace validation to PlanGet, PlanList tools - Add SecurityTest.php with comprehensive isolation tests Fixes SEC-002, SEC-003 from security audit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
100 lines
2.5 KiB
PHP
100 lines
2.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Core\Mod\Agentic\Models;
|
|
|
|
use Illuminate\Database\Eloquent\Model;
|
|
use Core\Tenant\Concerns\BelongsToWorkspace;
|
|
|
|
class Task extends Model
|
|
{
|
|
use BelongsToWorkspace;
|
|
|
|
protected $fillable = [
|
|
'workspace_id',
|
|
'title',
|
|
'description',
|
|
'status',
|
|
'priority',
|
|
'category',
|
|
'file_ref',
|
|
'line_ref',
|
|
];
|
|
|
|
protected $casts = [
|
|
'line_ref' => 'integer',
|
|
];
|
|
|
|
public function scopePending($query)
|
|
{
|
|
return $query->where('status', 'pending');
|
|
}
|
|
|
|
public function scopeInProgress($query)
|
|
{
|
|
return $query->where('status', 'in_progress');
|
|
}
|
|
|
|
public function scopeDone($query)
|
|
{
|
|
return $query->where('status', 'done');
|
|
}
|
|
|
|
public function scopeActive($query)
|
|
{
|
|
return $query->whereIn('status', ['pending', 'in_progress']);
|
|
}
|
|
|
|
/**
|
|
* Order by priority using CASE statement with whitelisted values.
|
|
*
|
|
* This is a safe replacement for orderByRaw("FIELD(priority, ...)") which
|
|
* could be vulnerable to SQL injection if extended with user input.
|
|
*/
|
|
public function scopeOrderByPriority($query, string $direction = 'asc')
|
|
{
|
|
return $query->orderByRaw('CASE priority
|
|
WHEN ? THEN 1
|
|
WHEN ? THEN 2
|
|
WHEN ? THEN 3
|
|
WHEN ? THEN 4
|
|
ELSE 5
|
|
END ' . ($direction === 'desc' ? 'DESC' : 'ASC'), ['urgent', 'high', 'normal', 'low']);
|
|
}
|
|
|
|
/**
|
|
* Order by status using CASE statement with whitelisted values.
|
|
*
|
|
* This is a safe replacement for orderByRaw("FIELD(status, ...)") which
|
|
* could be vulnerable to SQL injection if extended with user input.
|
|
*/
|
|
public function scopeOrderByStatus($query, string $direction = 'asc')
|
|
{
|
|
return $query->orderByRaw('CASE status
|
|
WHEN ? THEN 1
|
|
WHEN ? THEN 2
|
|
WHEN ? THEN 3
|
|
ELSE 4
|
|
END ' . ($direction === 'desc' ? 'DESC' : 'ASC'), ['in_progress', 'pending', 'done']);
|
|
}
|
|
|
|
public function getStatusBadgeAttribute(): string
|
|
{
|
|
return match ($this->status) {
|
|
'done' => '✓',
|
|
'in_progress' => '→',
|
|
default => '○',
|
|
};
|
|
}
|
|
|
|
public function getPriorityBadgeAttribute(): string
|
|
{
|
|
return match ($this->priority) {
|
|
'urgent' => '🔴',
|
|
'high' => '🟠',
|
|
'low' => '🔵',
|
|
default => '',
|
|
};
|
|
}
|
|
}
|