alro65
|
7fe7304392
|
Security hardening: IDOR fixes, rate limiting, secret key, session cookies
- IDOR: ownership checks on WO approve/reject/done, charter update/complete/
send-contracts/request-insurance, captain-contract PDF, insurance-rider PDF,
delete accounting entry, delete fuel entry, update vessel
- auth.py: rate limiting (10 req/15min), explicit is_active check
- owner.py: role guard on /owner/dashboard
- __init__.py: random SECRET_KEY if unset, absolute SQLite path, parameterized
SQL (no f-strings), session cookie HTTPONLY+SameSite, 8h session lifetime,
db.session.get() replacing deprecated query.get()
- api.py: P&L double-count bug fixed (wo_cost was summed twice), Content-
Disposition filename quoted, APP_BASE_URL env var replaces hardcoded
localhost:5010, create_management_company validates password length and
email uniqueness, dead code removed from sync_all_accounting
- create_admin.py: removed password from console output
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-05 03:01:49 -04:00 |
|
alro65
|
5b7b41aa50
|
Initial commit: Fleet Management app with security hardening and background launcher
- Flask app with SQLAlchemy, Flask-Login, Flask-Mail
- Admin/owner roles, vessel management, charters, work orders
- Background launcher (Iniciar.vbs) runs server without terminal window
- Root redirect fixed: / → /login
- debug=False, use_reloader=False for pythonw.exe compatibility
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-05 02:54:10 -04:00 |
|