RE1-T117 Bug fixes

[ucswift]

Summary by CodeRabbit

• Bug Fixes

  • Fixed SQL syntax errors in database queries that affected call filtering
  • Mitigated CSV injection vulnerabilities in incident export functionality

• Security

  • Strengthened permission requirements on reporting endpoints to enforce department-scoped access control

• Documentation

  • Updated reporting API documentation with clarified access requirements and parameter constraints

[request-info]

Thanks for opening this, but we'd appreciate a little more information. Could you update it with more details?

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 46615415-8f2a-4f3c-9392-f8f2332f4735

📥 Commits

Reviewing files that changed from the base of the PR and between 24b241b and ab4ffe1.

⛔ Files ignored due to path filters (1)

• Tests/Resgrid.Tests/Services/IncidentExportTests.cs is excluded by !**/Tests/**

📒 Files selected for processing (5)

• Core/Resgrid.Services/Reporting/IncidentExport.cs
• Repositories/Resgrid.Repositories.DataRepository/Servers/PostgreSql/PostgreSqlConfiguration.cs
• Repositories/Resgrid.Repositories.DataRepository/Servers/SqlServer/SqlServerConfiguration.cs
• Web/Resgrid.Web.Services/Controllers/v4/ReportingController.cs
• Web/Resgrid.Web.Services/Resgrid.Web.Services.xml

---

📝 Walkthrough

Walkthrough

The PR addresses three independent improvements: CSV injection mitigation in incident exports, SQL query syntax corrections in database configuration, and authorization policy enforcement with parameter validation on reporting API endpoints.

Changes

CSV/Spreadsheet Injection Mitigation

Layer / File(s)	Summary
CSV injection guard in escape logic Core/Resgrid.Services/Reporting/IncidentExport.cs	IncidentExport.Escape detects formula-trigger characters (=, +, -, @, tab, carriage return) at the start of cell values and prepends a single-quote prefix for non-numeric values, preventing spreadsheet formula injection before standard CSV quoting.

Database Query Syntax Corrections

Layer / File(s)	Summary
Remove duplicated AND in call date queries Repositories/Resgrid.Repositories.DataRepository/Servers/PostgreSql/PostgreSqlConfiguration.cs, Repositories/Resgrid.Repositories.DataRepository/Servers/SqlServer/SqlServerConfiguration.cs	SelectAllCallsByDidLoggedOnQuery SQL predicates are corrected by removing erroneous duplicate AND tokens before the LoggedOn >= %DATE% condition in both PostgreSQL and SQL Server configurations.

Reporting API Authorization and Parameter Validation

Layer / File(s)	Summary
Authorization policy setup and imports Web/Resgrid.Web.Services/Controllers/v4/ReportingController.cs, Web/Resgrid.Web.Services/Resgrid.Web.Services.xml	Adds Resgrid.Providers.Claims namespace import, introduces MaxTopN constant (50) for parameter bounds, and updates controller class documentation to state all endpoints require the Reports/View permission policy.
Authorization attributes and parameter validation on endpoints Web/Resgrid.Web.Services/Controllers/v4/ReportingController.cs, Web/Resgrid.Web.Services/Resgrid.Web.Services.xml	All six ReportingController endpoints transition from generic [Authorize] to [Authorize(Policy = ResgridResources.Reports_View)]; GetDashboard adds topN parameter clamping to the range 1–MaxTopN with corresponding XML documentation update for both the permission requirement and parameter behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is too vague and generic; it uses 'Bug fixes' without describing the specific bugs or changes being addressed.	Consider revising the title to be more specific, such as 'Fix CSV injection vulnerability and SQL syntax errors in reporting' to clearly convey the main changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ucswift]

Approve

[github-actions]

This PR is approved.