fix(employees): apply defaults and auto-generate SIP password on bulk import (#996)

Alexey Portnov · Alexey Portnov · commit da3c25739f9e · 2026-04-13T18:27:54.000+08:00
CSV bulk import created broken extensions: rows with empty sip_secret
column failed validation, and even rows with passwords could not
authenticate because Asterisk silently rejected endpoints with empty
dtmf_mode/transport enum values.

Root cause: SaveEmployeeAction (legacy bulk path) and SaveRecordAction
(REST POST path) both required sip_secret as a hard pre-validation field
and never invoked DataStructure::applyDefaults() during create. CSV rows
without these columns landed in DB with NULL dtmfmode, generated
"dtmf_mode = " in pjsip.conf, and res_pjsip discarded the whole endpoint.

Fixes:
- SaveEmployeeAction::prepareData() now applies DataStructure defaults
  on create and auto-generates sip_secret via Sip::generateSipPassword()
  when missing, mirroring DataStructure::createForNewEmployee() used by
  the manual form.
- SaveRecordAction::main() auto-generates sip_secret in Phase 1 before
  required-field validation (the required rule on sip_secret is now
  obsolete and removed).
- Frontend extensions-bulk-upload.js updateRowStatus() surfaces the
  backend error message inline in the import preview row instead of
  hiding it in the browser console; message is HTML-escaped via
  jQuery .text() to prevent XSS.
diff --git a/sites/admin-cabinet/assets/js/pbx/Extensions/extensions-bulk-upload.js b/sites/admin-cabinet/assets/js/pbx/Extensions/extensions-bulk-upload.js
diff --git a/sites/admin-cabinet/assets/js/src/Extensions/extensions-bulk-upload.js b/sites/admin-cabinet/assets/js/src/Extensions/extensions-bulk-upload.js
@@ -1022,7 +1022,16 @@ const extensionsBulkUpload = {
 
         // Update row class and status
         $row.removeClass('positive negative warning active disabled').addClass(statusClass);
-        $statusCell.html(`<i class="${statusIcon} icon"></i> <span class="status-text">${statusText}</span>`);
+        // Surface backend error message inline (issue #996) — escape via jQuery .text() to prevent XSS.
+        let detailHtml = '';
+        if (status === 'error' && message) {
+            const safeMessage = $('<div>').text(message).html();
+            detailHtml = ` <span class="status-detail">— ${safeMessage}</span>`;
+            $statusCell.attr('title', message);
+        } else {
+            $statusCell.removeAttr('title');
+        }
+        $statusCell.html(`<i class="${statusIcon} icon"></i> <span class="status-text">${statusText}</span>${detailHtml}`);
 
         console.log(`✅ [BulkUpload] Updated row ${number} to status: ${statusText}, class: ${statusClass}`);
 
diff --git a/src/PBXCoreREST/Lib/Employees/SaveEmployeeAction.php b/src/PBXCoreREST/Lib/Employees/SaveEmployeeAction.php
@@ -138,7 +138,19 @@ public static function prepareData(array $data): array
             'fwd_forwardingonunavailable',
         ];
         $sanitizedData = self::sanitizeRoutingDestinations($sanitizedData, $routingFields, 20);
-        
+
+        // On create (e.g. CSV bulk import without all columns) apply DataStructure defaults
+        // and auto-generate SIP password if missing. Mirrors SaveRecordAction Phase 4 / the
+        // form path createForNewEmployee(). Without defaults, dtmfmode/transport remain NULL,
+        // pjsip.conf gets `dtmf_mode = ` (empty enum), Asterisk silently rejects the endpoint
+        // and SIP auth fails even though the row exists in DB and the file. Issue #996.
+        if (empty($sanitizedData['id'])) {
+            $sanitizedData = DataStructure::applyDefaults($sanitizedData);
+            if (empty($sanitizedData['sip_secret'])) {
+                $sanitizedData['sip_secret'] = Sip::generateSipPassword();
+            }
+        }
+
         return $sanitizedData;
     }
     
diff --git a/src/PBXCoreREST/Lib/Employees/SaveRecordAction.php b/src/PBXCoreREST/Lib/Employees/SaveRecordAction.php
@@ -100,6 +100,13 @@ public static function main(array $data): PBXApiResult
             ];
             $sanitizedData = self::sanitizeRoutingDestinations($sanitizedData, $routingFields, 20);
 
+            // Auto-generate SIP password on create when omitted (e.g. CSV bulk import without sip_secret column).
+            // Mirrors DataStructure::createForNewEmployee() which fills the value for the manual-create form.
+            // Must run before Phase 2 required-field validation.
+            if (empty($sanitizedData['id']) && empty($sanitizedData['sip_secret'])) {
+                $sanitizedData['sip_secret'] = Sip::generateSipPassword();
+            }
+
         } catch (\Exception $e) {
             $res->messages['error'][] = $e->getMessage();
             return $res;
@@ -120,13 +127,7 @@ public static function main(array $data): PBXApiResult
             ],
         ];
 
-        // sip_secret required only for CREATE (UPDATE can skip if keeping existing password)
         $isCreateOperation = empty($sanitizedData['id']);
-        if ($isCreateOperation) {
-            $validationRules['sip_secret'] = [
-                ['type' => 'required', 'message' => 'ex_ValidateSecretEmpty']
-            ];
-        }
 
         $validationErrors = self::validateRequiredFields($sanitizedData, $validationRules);
         if (!empty($validationErrors)) {
