Fix CustomerPolicy missing hasCompany() check (cross-company IDOR)

Add $user->hasCompany($customer->company_id) check to view, update, delete, restore, and forceDelete methods in CustomerPolicy, matching the pattern used by all other policies (InvoicePolicy, PaymentPolicy, EstimatePolicy, etc.). Without this check, a user in Company A with view-customer ability could access customers belonging to Company B by providing the target customer's ID. Add cross-company authorization tests to verify the fix. Closes #565
2026-04-18 02:34:08 +00:00 · 2026-04-03 13:46:05 +02:00
parent 25986b7bd5
commit 1ab5228347
2 changed files with 29 additions and 5 deletions
--- a/tests/Feature/Admin/CustomerTest.php
+++ b/tests/Feature/Admin/CustomerTest.php
@@ -2,6 +2,7 @@

 use App\Http\Controllers\V1\Admin\Customer\CustomersController;
 use App\Http\Requests\CustomerRequest;
+use App\Models\Company;
 use App\Models\Customer;
 use App\Models\Invoice;
 use App\Models\User;
@@ -157,3 +158,26 @@ test('delete multiple customer', function () {
            'success' => true,
        ]);
 });
+
+test('cannot view customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    getJson("api/v1/customers/{$otherCustomer->id}")
+        ->assertForbidden();
+});
+
+test('cannot update customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    putJson("api/v1/customers/{$otherCustomer->id}", [
+        'name' => 'Hacked Name',
+        'email' => 'hacked@example.com',
+    ])->assertForbidden();
+});
+