QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-15 17:24:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix UpdateController auth: use Bouncer ability instead of company owner check

Browse Source 
ensureOwner() checked isOwner() which only verifies company ownership,
not super admin status. Replace with authorize('manage update app')
which uses the proper Bouncer ability gate for platform administration.
This commit is contained in:
Darko Gjorgjijoski
2026-04-03 21:45:40 +02:00
parent 3f5accc0f0
commit 20ace694fe
1 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
app/Http/Controllers/Admin/Update/UpdateController.php
View File

@@ -12,7 +12,7 @@ class UpdateController extends Controller
{ {
public function checkVersion(Request $request): JsonResponse public function checkVersion(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
set_time_limit(600); set_time_limit(600);
@@ -24,7 +24,7 @@ class UpdateController extends Controller
public function download(Request $request): JsonResponse public function download(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
$request->validate(['version' => 'required']); $request->validate(['version' => 'required']);
@@ -36,7 +36,7 @@ class UpdateController extends Controller
public function unzip(Request $request): JsonResponse public function unzip(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
$request->validate(['path' => 'required']); $request->validate(['path' => 'required']);
@@ -55,7 +55,7 @@ class UpdateController extends Controller
public function copy(Request $request): JsonResponse public function copy(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
$request->validate(['path' => 'required']); $request->validate(['path' => 'required']);
@@ -67,7 +67,7 @@ class UpdateController extends Controller
public function delete(Request $request): JsonResponse public function delete(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
if (isset($request->deleted_files) && ! empty($request->deleted_files)) { if (isset($request->deleted_files) && ! empty($request->deleted_files)) {
Updater::deleteFiles($request->deleted_files); Updater::deleteFiles($request->deleted_files);
@@ -78,7 +78,7 @@ class UpdateController extends Controller
public function migrate(Request $request): JsonResponse public function migrate(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
Updater::migrateUpdate(); Updater::migrateUpdate();
@@ -87,7 +87,7 @@ class UpdateController extends Controller
public function finish(Request $request): JsonResponse public function finish(Request $request): JsonResponse
{ {
$this->ensureOwner($request); $this->ensureSuperAdmin();
$request->validate([ $request->validate([
'installed' => 'required', 'installed' => 'required',
@@ -97,10 +97,8 @@ class UpdateController extends Controller
return response()->json(Updater::finishUpdate($request->installed, $request->version)); return response()->json(Updater::finishUpdate($request->installed, $request->version));
} }
private function ensureOwner(Request $request): void private function ensureSuperAdmin(): void
{ {
if (! $request->user() || ! $request->user()->isOwner()) { $this->authorize('manage update app');
abort(401, 'You are not allowed to update this app.');
}
} }
} }