Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| $views = array_map(function ($item) { | ||
| return $item['name']; | ||
| }, Schema::getViews()); | ||
| }, Schema::getViews($database)); |
There was a problem hiding this comment.
getViews returns incompatible data structure breaking view logic
High Severity
The getViews() method now returns a numerically-indexed array of view name strings, but consumers expect an associative array keyed by view name with objects having a getSql() method. In shouldCreate(), the check isset($views[$viewName]) will always fail since the array uses numeric keys, causing views to always be recreated unnecessarily. In the up() method's foreach loop, $viewName becomes numeric indices (0, 1, 2...) instead of actual view names, breaking the dropped table detection logic entirely.
Additional Locations (2)
nolanpro
changed the title
| $request->name, | ||
| null, // provider | ||
| false // confidential | ||
| ); |
There was a problem hiding this comment.
OAuth clients not associated with user when created
High Severity
When creating personal access or password grant clients via store(), the new code uses createPersonalAccessGrantClient() and createPasswordGrantClient() which don't associate the client with the authenticated user. The old code passed $request->user()->getKey() to link all client types to the user. Since show(), update(), and destroy() all use findForUser($clientId, $request->user()) to retrieve clients, users can no longer access, modify, or delete personal access and password grant clients they create through this API.
Additional Locations (2)
| public function update(Request $request, $clientId) | ||
| { | ||
| $client = $this->clients->find($clientId); | ||
| $client = $this->clients->findForUser($clientId, $request->user()); |
There was a problem hiding this comment.
OAuth client update/destroy restricted to owner only
Medium Severity
The update and destroy methods changed from $this->clients->find($clientId) to $this->clients->findForUser($clientId, $request->user()). This restricts operations to only clients owned by the requesting user, while the index method still returns ALL clients. Users with edit-auth_clients or delete-auth_clients permissions will see clients in the list but receive 404 errors when attempting to modify clients they don't own, breaking admin management functionality.
Additional Locations (1)
| /** | ||
| * Store a new client. | ||
| * | ||
| * @param \Illuminate\Http\Request $request |
There was a problem hiding this comment.
Duplicated type-extraction logic in store and update methods
Low Severity
The store() and update() methods contain identical code for extracting $personalAccess, $password, and $redirect from $request->types. These three lines are duplicated verbatim between the two methods. This logic could be extracted to a private helper method like parseClientTypes(Request $request) to reduce duplication and make future maintenance easier.
Additional Locations (1)
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| 'file_size_check' => ProcessMakerMiddleware\FileSizeCheck::class, | ||
| 'auth.basic' => Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, | ||
| 'throttle' => Illuminate\Routing\Middleware\ThrottleRequests::class, | ||
| 'client' => Laravel\Passport\Http\Middleware\CheckToken::class, |
There was a problem hiding this comment.
Wrong Passport middleware class for client alias
High Severity
The client middleware alias was changed from CheckClientCredentials to CheckToken. These serve different purposes: CheckClientCredentials validates OAuth2 client credentials grant flows, while CheckToken validates regular bearer access tokens. This breaks client credentials authentication for any routes using the client middleware.
| protected \Illuminate\Contracts\Validation\Factory $validation, | ||
| ) { | ||
| } | ||
|
|
There was a problem hiding this comment.
Client list not filtered by user
Medium Severity
The index method returns all non-revoked clients without filtering by user, while show, update, and destroy methods use findForUser to restrict access to user-specific clients. This inconsistency allows users to see other users' OAuth clients, which may expose sensitive client information.
| // Authorization code grant | ||
| $client = $this->clients->createAuthorizationCodeGrantClient( | ||
| $request->name, | ||
| $redirect ? explode(',', $redirect) : [], |
There was a problem hiding this comment.
Redirect URL incorrectly split on commas
Medium Severity
The redirect URL is split using explode(',', $redirect), but validation enforces a single URL via the url rule. This breaks if the redirect URL contains commas (valid in URLs, e.g., query parameters like ?items=1,2,3). The URL would be incorrectly split into multiple invalid array elements. Should use [$redirect] to wrap the single URL in an array.
|
|
||
| // Do not retry this job if it fails | ||
| public $tries = 10; | ||
| public $tries = 1; |
There was a problem hiding this comment.
Job retry attempts drastically reduced
Medium Severity
The $tries property changed from 10 to 1, meaning script executor builds will no longer retry on failure. The comment states "Do not retry this job if it fails" which matches the new value, but the previous value of 10 suggests retries were important for handling transient failures. Builds may now fail permanently due to temporary network issues or resource constraints.
|
QA server K8S was successfully deployed https://ci-9fdd0aafa1.engk8s.processmaker.net |
2 participants
ci:k8s-branch:2026-4-php84
ci:package-auth:task/FOUR-28803
ci:package-email-start-event:task/FOUR-28803
ci:package-collections:task/FOUR-28803
ci:package-actions-by-email:task/FOUR-28803
ci:pmql:task/FOUR-28803
ci:package-analytics-reporting:task/FOUR-28803
ci:package-savedsearch:task/FOUR-28803
ci:package-decision-engine:task/FOUR-28803
ci:package-smart-extract:task/FOUR-28803
ci:package-ai:task/FOUR-28803
ci:deploy
.
Note
High Risk
Framework/runtime upgrades plus a full middleware bootstrap refactor and Passport client/token behavior changes can affect authentication, request handling order, and production routing in subtle ways.
Overview
Upgrades the runtime and core framework dependencies to PHP 8.4 and Laravel 12, along with related library bumps (notably Passport 13, Swagger, JWT, PMQL, and new OpenTelemetry packages).
Migrates HTTP middleware configuration out of
ProcessMaker\Http\Kernelintobootstrap/app.phpusing Laravel 11+/12->withMiddleware()wiring, including custom replacements, group composition, aliases, and priority ordering.Updates several Passport integrations to match new APIs/behavior: client creation now uses explicit grant-type factory methods (including DevLink), auth client CRUD is rewritten to use
ClientRepositorydirectly withfindForUser, token lookup uses updatedTokenRepositorysignatures, token JSON serialization is hardened inUserTokenResource, and client UUIDs are explicitly disabled to preserve integer IDs.Removes the
processmaker:create-test-dbsconsole command, adjusts Data Lake view discovery to pass the current database toSchema::getTables/getViews, reducesBuildScriptExecutorretries from 10 to 1, and adds.envrcto.gitignore.Written by Cursor Bugbot for commit ccc4f2b. This will update automatically on new commits. Configure here.