Implemented comprehensive vendor logo management system allowing Vendor Admins to upload company logos (max 2MB, JPG/PNG/SVG/WebP) via dedicated settings page with preview and one-click removal functionality.
Vendor logos now automatically display on both individual and bulk printed staff ID cards in the header section with smart scaling (max 40px × 18px) and white color filter for visibility on gradient backgrounds.
Implemented automatic data refresh every 5 minutes to keep notifications, attendance data, and dynamic content up-to-date without requiring page reload. System includes smart visibility detection and manual control options.
User profile photos now display in both sidebar footer (40px circular) and top header user menu (35px circular) with graceful fallback to default avatar when no photo is uploaded.
Enabled full-color printing for ID cards with CSS print-color-adjust properties, ensuring gradient backgrounds, company logos, and all colors print exactly as displayed on screen for both individual and bulk A4 cards.
Added comprehensive cache prevention headers (Cache-Control: no-cache, no-store, must-revalidate) to ensure new vendors, staff, and all data updates appear immediately without requiring browser cache clearing.
Fixed attendance records showing "Unknown" status by adding missing "Completed", "In Progress", and "Cancelled" status badges to getStatusBadge() helper function with appropriate color coding.
Implemented comprehensive file upload validation with CSRF protection, extension whitelist, MIME type verification, file size enforcement (2MB max), and proper HTML escaping with ENT_QUOTES flag.
Created dedicated vendor settings page accessible from dashboard with company information display (read-only), logo upload interface, file requirements guide, and visual preview of current logo.
Auto-refresh system fetches new notifications via AJAX every 5 minutes, updates badge counts, refreshes notification dropdown list, and shows subtle toast notifications when data is refreshed.
Auto-refresh intelligently refreshes data when user returns to tab after being away for more than 2 minutes, ensuring up-to-date information when switching browser tabs.
Implemented comprehensive kiosk device tracking showing device type, browser, operating system, IP address, and last activity timestamp for all devices accessing sites with active/inactive status indicators.
Added system-wide audit logging capturing all critical actions including user logins, NFC/PIN authentication, clock in/out, breaks, and administrative changes with full IP address and user agent tracking.
Created centralized audit logs page for super admins with advanced filtering by action type, vendor, site, user, entity type, and date range, supporting 25 items per page with accurate pagination.
Introduced interactive calendar picker for creating shifts across multiple days simultaneously. Select any number of future dates with visual feedback, past date prevention, and bulk shift creation with consistent times and details.
Added full-featured FullCalendar widget to staff dashboard displaying all assigned shifts in month, week, and list views with clickable event details showing time and position information.
Implemented site-based filtering in shift scheduler allowing super admins and vendor admins to view and create shifts by specific site with dynamic staff loading based on site selection.
Enhanced RBAC enforcement in shift API preventing unauthorized data access: staff restricted to own shifts only, site admins to their site, vendor admins to their vendor with ownership verification on all filters.
Added server-side validation ensuring staff can only be assigned to sites they are authorized for, checking both primary site assignment and multi-site assignments before creating shifts.
Enhanced device tracking with intelligent user agent parsing to extract device name, operating system, and browser information with human-readable display format.
Site profile pages now display all logged-in kiosk devices with detailed information and last seen timestamps, automatically marking devices inactive after 30 minutes of inactivity.
Replaced PostgreSQL-specific RETURNING syntax with PDO lastInsertId() in device tracking for cross-database compatibility, enabling device records to persist correctly.
Fixed pagination count function to include entity_type and date filters matching the main query, ensuring accurate page counts when filters are applied.
Multi-date picker features large touch targets, visual hover states, month navigation, and real-time selected date counter with full date display for mobile-optimized experience.
Fixed vendor, site, and user suspended status to display red "Suspended" badge instead of "Unknown" badge in status indicators across all management pages.
Implemented comprehensive suspension checks in login system with professional toast notifications (8-second duration, slide-in animation) for suspended users, vendors, and sites with clear "Access Denied - Contact Support" messaging.
Resolved PDO error "invalid input syntax for type numeric" by converting empty strings to proper numeric values (0) for salary, pension percentage, and other deductions fields.
Fixed "CSRF token validation failed" errors by ensuring tokens are generated early in the page lifecycle before form rendering and JavaScript execution.
Added missing helpers.php include to impersonate.php to resolve "Call to undefined function sanitize()" fatal error during Super Admin impersonation.
Resolved parameter conflicts in Today's Attendance query by creating separate attendanceParams variable to prevent query mismatch issues.
Fixed PIN regeneration API endpoint by updating from non-existent audit_log table to existing activity_logs table with proper logging of PIN regeneration actions.
Replaced browser alerts with consistent toast notification system on login page, including complete CSS styling and animation for suspended account messages.
PIN regeneration actions now properly logged in activity_logs with target user details (name, UID, role) for complete audit trail.
Implemented intelligent two-step authentication flow: staff authenticate first, then see only relevant action buttons based on their current sign-in status (signed out = Sign In only; signed in = Sign Out + Break buttons).
Added detailed NFC card setup instructions directly in Settings → NFC Cards tab with collapsible accordion interface, including step-by-step registration, programming guides, hardware requirements, and troubleshooting.
Extended NFC compatibility documentation to include MIFARE Classic, MIFARE Ultralight, and MIFARE DESFire cards with NDEF formatting requirements and comparison with NTAG series.
Created comprehensive 400+ line NFC card guide (/docs/NFC_CARD_GUIDE.md) covering Web NFC API, hardware purchasing recommendations, programming methods, security considerations, and database structure.
Upgraded NFC authentication to automatically trigger browser permission prompts when scan() is called from user gesture, with improved error handling for NotAllowedError, NotSupportedError, and InvalidStateError.
Increased items per page from 10 to 25 across all management pages (Staff, Vendors, Sites, Attendance, Leave) for better data visibility and fewer page loads.
Fixed dropdown menu visibility issues with CSS improvements: min-width 180px, z-index 1050, overflow fixes, and proper positioning to prevent truncation.
Implemented session ID regeneration after successful PIN/NFC authentication to prevent session fixation attacks, with session clearing after each kiosk action.
Updated NFC reading to use event.serialNumber for authentication instead of NDEF record parsing, providing more reliable card identification.
Kiosk now checks staff attendance status after authentication to determine which buttons to display, eliminating "already clocked in" errors and improving user experience.
Complete UI redesign from table-based to modern card-based layouts across all management pages (Staff, Vendors, Sites, Attendance, Leave) with responsive grid system.
Added instant client-side search functionality and pagination (10 items per page) to all card-based pages with Bootstrap-styled controls and result counters.
Enhanced responsive design with 1-column mobile, 2-column tablet, 3-column desktop card grids. All pages now fit perfectly to screen without horizontal scrolling.
Added comprehensive CSS constraints for proper screen fitting: max-width 100vw on all containers, optimized modal sizing (95% mobile, 90% tablet), and responsive padding adjustments.
Optimized button sizes, typography scaling, and spacing for mobile devices. Cards, forms, and navigation now perfectly sized for touch interfaces.
Fixed all PHP 8.1+ deprecation warnings by replacing FILTER_SANITIZE_STRING with htmlspecialchars(strip_tags()) across 11 instances in kiosk.php.
Enhanced card hover effects, action button positioning in footers, and progressive disclosure with d-none/d-md-block utilities for optimal information display.
Improved table responsiveness with horizontal scroll support, wrapped button groups, centered pagination, and flexible form controls across all screen sizes.
Added comprehensive NFC card issuance and management system for staff and vendors with cryptographically secure RFC 4122 v4 UUIDs.
Complete settings management for super admin including Site Information, SEO, Logo/Favicon uploads, Email SMTP configuration, and ReCaptcha v3 integration.
Bulk PIN regeneration capability for vendors, sites, or individual staff members with secure one-time display.
Added unique 8-character alphanumeric identifiers for vendors and sites with automatic generation on creation.
Support for 40+ countries with automatic currency detection, 30+ currency symbols, and 400+ worldwide timezones.
Added configurable opening and closing times for sites with time picker inputs (default 9 AM - 5 PM).
Kiosk system now accepts site UIDs instead of numeric IDs for better security with backward compatibility.
Implemented comprehensive file upload validation with MIME type checking, extension whitelisting, and .htaccess protection against executable uploads.
Added Settings link to navigation menu for super admin with improved organization.
Made "Open Kiosk" button more visible with larger size, green color, and shadow effect.
Fixed jQuery loading order issue by moving inline scripts after footer to prevent "$ is not defined" errors.