Upgrade Laravel and refactor to thin Controllers

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[compose.yaml]
+indent_size = 4

.env.ci

@@ -1,26 +1,16 @@
 APP_ENV=testing
 APP_DEBUG=true
-APP_KEY=base64:lEEqEYFZGEYHBd3y3RPofI9FozOKwBCEiTANoaH2eUs=
+APP_KEY=base64:xxx
 
-CACHE_DRIVER=array
+CACHE_STORE=array
 SESSION_DRIVER=file
+SESSION_DOMAIN=null
+QUEUE_CONNECTION=sync
 QUEUE_DRIVER=sync
 
-REDIS_HOST=localhost
-REDIS_PASSWORD=null
-REDIS_PORT=6379
-
-MAIL_DRIVER=smtp
-MAIL_HOST=mailtrap.io
-MAIL_PORT=2525
-MAIL_USERNAME=null
-MAIL_PASSWORD=null
-MAIL_ENCRYPTION=null
-
 DB_CONNECTION=mysql
 DB_HOST=127.0.0.1
 DB_PORT=3306
 DB_DATABASE=daybyday_test
 DB_USERNAME=root
 DB_PASSWORD=password
-

.env.dusk.local

@@ -9,7 +9,7 @@ DB_USERNAME=root
 DB_PASSWORD=root
 DB_PORT=3306
 
-CACHE_DRIVER=array
+CACHE_STORE=array
 SESSION_DRIVER=file
 QUEUE_DRIVER=sync
 

.env.example

@@ -1,26 +1,68 @@
+APP_NAME=Laravel
 APP_ENV=local
+APP_KEY=
 APP_DEBUG=true
-APP_KEY=i53weLzCSdunQzNc2SXR2AE9XJVDuNaq
+APP_TIMEZONE=UTC
+APP_URL=http://localhost
 
-DB_HOST=localhost
-DB_DATABASE=database
-DB_USERNAME=username
-DB_PASSWORD=password
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+DEBUGBAR_ENABLED=false
 
-CACHE_DRIVER=file
-SESSION_DRIVER=file
-QUEUE_DRIVER=sync
+APP_MAINTENANCE_DRIVER=file
+# APP_MAINTENANCE_STORE=database
 
-REDIS_HOST=localhost
+# PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=single
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=sqlite
+# DB_HOST=127.0.0.1
+# DB_PORT=3306
+# DB_DATABASE=laravel
+# DB_USERNAME=root
+# DB_PASSWORD=
+
+SESSION_DRIVER=database
+SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=null
+
+BROADCAST_CONNECTION=log
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=database
+
+CACHE_STORE=database
+CACHE_PREFIX=
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
 REDIS_PASSWORD=null
 REDIS_PORT=6379
 
-MAIL_DRIVER=smtp
-MAIL_HOST=mailtrap.io
+MAIL_MAILER=log
+MAIL_SCHEME=null
+MAIL_HOST=127.0.0.1
 MAIL_PORT=2525
 MAIL_USERNAME=null
 MAIL_PASSWORD=null
 MAIL_ENCRYPTION=null
+MAIL_FROM_ADDRESS="hello@example.com"
+MAIL_FROM_NAME="${APP_NAME}"
 
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+AWS_BUCKET=
+AWS_USE_PATH_STYLE_ENDPOINT=false
 
-
+VITE_APP_NAME="${APP_NAME}"

.env.testing

@@ -0,0 +1,37 @@
+APP_ENV=testing
+APP_DEBUG=true
+APP_KEY=base64:HlxW5wzUCf5xPY/YTueJnUKzq4OZ6qByEjQhwYCDU/U=
+
+APP_TIMEZONE=UTC
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+
+CACHE_STORE=array
+SESSION_DRIVER=array
+SESSION_DOMAIN=null
+QUEUE_CONNECTION=sync
+QUEUE_DRIVER=sync
+
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=daybyday_test
+DB_USERNAME=root
+DB_PASSWORD=password
+
+MAIL_MAILER=array
+BROADCAST_CONNECTION=null
+
+BCRYPT_ROUNDS=4
+
+LOG_CHANNEL=stack
+LOG_LEVEL=debug
+
+# — a sent invoice in your test database
+SEED_INVOICE_EXTERNAL_ID=
+
+# — a draft/unsent invoice
+SEED_DRAFT_INVOICE_EXTERNAL_ID=
+
+# — one seeded appointment (since the store route doesn't exist)
+SEED_APPOINTMENT_EXTERNAL_ID=

.gitattributes

@@ -1,4 +1,11 @@
-* text=auto
-*.css linguist-vendored
-*.less linguist-vendored
-*.rb linguist-language=Php
+* text=auto eol=lf
+
+*.blade.php diff=html
+*.css diff=css
+*.html diff=html
+*.md diff=markdown
+*.php diff=php
+
+/.github export-ignore
+CHANGELOG.md export-ignore
+.styleci.yml export-ignore

.github/ARCHITECTURE.md

@@ -0,0 +1,54 @@
+# System Architecture & Technical Analysis
+
+## System Overview
+DaybydayCRM is a modular CRM built with Laravel, separating logic into domain-specific modules. It utilizes a layered architecture (Controllers → Services/Actions → Repositories → Models).
+
+---
+
+## Technical Debt & Analysis
+
+### 1. Factories & Database Defaults
+- **Problem:** Many models (Activity, Lead, Project, Task) depend on observers or manual `boot` method logic for critical fields like `external_id` (UUID). This logic is often bypassed during tests, causing "Missing Default Value" errors.
+- **Goal:** Modernize all factories to Class-based models and centralize UUID generation in the `HasExternalId` trait.
+
+### 2. Business Logic Leaks
+- **Problem:** Fat controllers are common, handling activity logging, notification sending, and data transformation.
+- **Solution:** Encapsulate business logic in Service classes or single-purpose Action classes (`app/Actions/`). Controllers should focus on request handling and response generation.
+
+### 3. Authorization & Permissions
+- **Problem:** The current authorization system (Entrust) is aging and complex. Some policies are missing or incorrectly referenced.
+- **Goal:** Audit all Policies and transition to Laravel's native Gates and Policies for better consistency and performance.
+
+### 4. Frontend Asset Pipeline
+- **Problem:** Vue 2 is End-of-Life (EOL), and the asset pipeline relies on legacy `laravel-mix` (Webpack).
+- **Goal:** Roadmap migration to Vue 3 and Vite for faster development and improved security.
+
+---
+
+## Core Infrastructure
+
+### Trait-Based Behavior
+- **Blameable:** Automatically tracks `user_created_id` and `user_updated_id`.
+- **Statusable:** Standardized status handling with helper methods.
+- **HasExternalId:** Automatically generates UUIDs for `external_id` and sets it as route key.
+
+### Model Observer Pattern
+Observers are used for automatic side effects:
+- File deletion upon model removal.
+- Cascade soft deletes.
+- Automatic logging/auditing.
+- Search index updates.
+- Registered in `AppServiceProvider::boot()`.
+
+### Repository Pattern
+Used for:
+- Data access abstraction.
+- External system integration (e.g., Billing, Filesystem).
+- Multi-tenant query scoping.
+
+---
+
+## API Architecture
+- **API routes:** `routes/api.php`
+- **Authentication:** `auth:api` middleware.
+- **Response Format:** Standard JSON responses.

.github/CHANGELOG.md

@@ -0,0 +1,98 @@
+# Changelog - Authorization and Security Fixes
+
+## [Unreleased] - 2026-04-08
+
+### Security Fixes
+
+#### SearchController: Arbitrary Class Instantiation Prevention
+- **Issue**: URL parameter used directly as class name allowing arbitrary class instantiation.
+- **Fix**: Added allowlist validation for search types.
+- **Allowed types**: Client, Task, Project, Lead, User.
+- **Impact**: CRITICAL - Prevents potential remote code execution.
+
+#### Authorization Enforcement Added
+
+All delete operations across resource types now properly enforce permission checks via middleware:
+
+- **UsersController**: Added `user-delete` permission check to `destroy()` method
+- **ClientsController**: Added `client-delete` permission check to `destroy()` method  
+- **TasksController**: Added `task-delete` permission check to `destroy()` method
+- **LeadsController**: Added `lead-delete` permission checks to both `destroy()` and `destroyJson()` methods
+- **ProjectsController**: Added `project-delete` permission check to `destroy()` method
+- **OffersController**: Added comprehensive permission checks:
+  - `offer-create` for `create()` method
+  - `offer-edit` for `update()`, `won()`, and `lost()` methods
+
+#### Settings Access Control
+
+- **SettingsController**: Extended admin-only middleware from `index` to include `updateOverall` and `updateFirstStep` methods, preventing non-admin users from modifying:
+  - Company currency and VAT rate
+  - Invoice and client numbering schemes
+  - Business hours
+
+#### Assignment Permission Checks
+
+- **ProjectsController**: Added `can-assign-new-user-to-project` permission check to `updateAssign()` method
+- **TasksController**: Added `task-update-linked-project` permission check to `updateProject()` method
+
+#### File Upload Authorization
+
+- **DocumentsController**: Enabled previously commented-out permission checks:
+  - `task-upload-files` permission for `uploadToTask()` method
+  - `project-upload-files` permission for `uploadToProject()` method
+
+### Mass Assignment Protection
+
+Fixed mass assignment vulnerabilities in status update endpoints by replacing `fill($request->all())` with explicit field filtering:
+
+- **TasksController::updateStatus**: Now only accepts `status_id` field
+- **LeadsController::updateAssign**: Now only accepts `user_assigned_id` field
+- **LeadsController::updateStatus**: Now only accepts `status_id` field  
+- **ProjectsController::updateStatus**: Now only accepts `status_id` field
+
+This prevents malicious users from modifying unintended fields (title, description, assigned user, etc.) via status update requests.
+
+### Database Schema Updates
+
+Added missing permissions to `PermissionsTableSeeder`:
+- `task-delete`: Permission to delete a task
+- `lead-delete`: Permission to delete a lead
+- `project-delete`: Permission to delete a project
+
+### Code Quality Improvements
+
+- Added null checks when resolving `Status` by external ID to prevent null pointer exceptions
+- Improved error handling in status update methods across Tasks, Leads, and Projects controllers
+
+### Testing
+
+Added comprehensive PHPUnit authorization test suites with `#[Group('authorization-fix')]` attribute:
+
+- **TaskAuthorizationTest**: 5 tests covering delete, project update, and mass assignment protection
+- **LeadAuthorizationTest**: 4 tests covering delete and mass assignment protection
+- **ProjectAuthorizationTest**: 5 tests covering delete, assignment, and mass assignment protection
+- **ClientAuthorizationTest**: 2 tests covering delete authorization
+- **UserAuthorizationTest**: 3 tests covering delete authorization and owner protection
+- **OfferAuthorizationTest**: 8 tests covering create, edit, won/lost, and authorization
+- **SettingsAuthorizationTest**: 6 tests covering admin-only access controls
+- **DocumentAuthorizationTest**: 4 tests covering file upload permissions
+
+Fixed incomplete tests:
+- Removed `markTestIncomplete()` from `UsersControllerTest::owner_can_update_user_role()`
+- Removed `markTestIncomplete()` from `PaymentsControllerTest::can_delete_payment()`
+
+### Impact
+
+**Before**: Any authenticated user could delete any resource, modify critical system settings, and exploit mass assignment to change arbitrary model fields.
+
+**After**: All operations enforce proper role-based authorization as defined in the database permissions system.
+
+### Migration Notes
+
+Existing installations should run database seeders to ensure the new permissions (`task-delete`, `lead-delete`, `project-delete`) are created:
+
+```bash
+php artisan db:seed --class=PermissionsTableSeeder
+```
+
+Administrators should review and assign the new delete permissions to appropriate roles based on their organization's security policies.