From 242b689311a5e0646ebd3c4af590b38feccf43d8 Mon Sep 17 00:00:00 2001 From: Darko Gjorgjijoski Date: Fri, 3 Apr 2026 14:01:30 +0200 Subject: [PATCH] Scope all bulk deletes to current company and fix inverted ownership transfer Bulk delete: filter IDs through whereCompany() before deleting in all controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring Invoices). Previously, any user could delete records from other companies by providing cross-company IDs. Transfer ownership: fix inverted hasCompany() check that allowed transferring company ownership to users who do NOT belong to the company, while blocking users who DO belong. Ref #567 --- .../Controllers/V1/Admin/Company/CompaniesController.php | 4 ++-- .../Controllers/V1/Admin/Estimate/EstimatesController.php | 6 +++++- .../Controllers/V1/Admin/Expense/ExpensesController.php | 6 +++++- .../Controllers/V1/Admin/Invoice/InvoicesController.php | 6 +++++- app/Http/Controllers/V1/Admin/Item/ItemsController.php | 6 +++++- .../Controllers/V1/Admin/Payment/PaymentsController.php | 6 +++++- .../Admin/RecurringInvoice/RecurringInvoiceController.php | 6 +++++- 7 files changed, 32 insertions(+), 8 deletions(-) diff --git a/app/Http/Controllers/V1/Admin/Company/CompaniesController.php b/app/Http/Controllers/V1/Admin/Company/CompaniesController.php index 05163008..77964d5d 100644 --- a/app/Http/Controllers/V1/Admin/Company/CompaniesController.php +++ b/app/Http/Controllers/V1/Admin/Company/CompaniesController.php @@ -61,10 +61,10 @@ class CompaniesController extends Controller $company = Company::find($request->header('company')); $this->authorize('transfer company ownership', $company); - if ($user->hasCompany($company->id)) { + if (! $user->hasCompany($company->id)) { return response()->json([ 'success' => false, - 'message' => 'User does not belongs to this company.', + 'message' => 'User does not belong to this company.', ]); } diff --git a/app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php b/app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php index 31a415da..fabd2a17 100644 --- a/app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php +++ b/app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php @@ -68,7 +68,11 @@ class EstimatesController extends Controller { $this->authorize('delete multiple estimates'); - Estimate::destroy($request->ids); + $ids = Estimate::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Estimate::destroy($ids); return response()->json([ 'success' => true, diff --git a/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php b/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php index dd42f123..c62e8c1d 100644 --- a/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php +++ b/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php @@ -81,7 +81,11 @@ class ExpensesController extends Controller { $this->authorize('delete multiple expenses'); - Expense::destroy($request->ids); + $ids = Expense::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Expense::destroy($ids); return response()->json([ 'success' => true, diff --git a/app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php b/app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php index 9c3c1629..630d4736 100644 --- a/app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php +++ b/app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php @@ -100,7 +100,11 @@ class InvoicesController extends Controller { $this->authorize('delete multiple invoices'); - Invoice::deleteInvoices($request->ids); + $ids = Invoice::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Invoice::deleteInvoices($ids); return response()->json([ 'success' => true, diff --git a/app/Http/Controllers/V1/Admin/Item/ItemsController.php b/app/Http/Controllers/V1/Admin/Item/ItemsController.php index 93e21bec..7c63a61a 100644 --- a/app/Http/Controllers/V1/Admin/Item/ItemsController.php +++ b/app/Http/Controllers/V1/Admin/Item/ItemsController.php @@ -90,7 +90,11 @@ class ItemsController extends Controller { $this->authorize('delete multiple items'); - Item::destroy($request->ids); + $ids = Item::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Item::destroy($ids); return response()->json([ 'success' => true, diff --git a/app/Http/Controllers/V1/Admin/Payment/PaymentsController.php b/app/Http/Controllers/V1/Admin/Payment/PaymentsController.php index 6f7c2dc3..ee6d0ff7 100644 --- a/app/Http/Controllers/V1/Admin/Payment/PaymentsController.php +++ b/app/Http/Controllers/V1/Admin/Payment/PaymentsController.php @@ -73,7 +73,11 @@ class PaymentsController extends Controller { $this->authorize('delete multiple payments'); - Payment::deletePayments($request->ids); + $ids = Payment::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Payment::deletePayments($ids); return response()->json([ 'success' => true, diff --git a/app/Http/Controllers/V1/Admin/RecurringInvoice/RecurringInvoiceController.php b/app/Http/Controllers/V1/Admin/RecurringInvoice/RecurringInvoiceController.php index b859392c..e3becd7b 100644 --- a/app/Http/Controllers/V1/Admin/RecurringInvoice/RecurringInvoiceController.php +++ b/app/Http/Controllers/V1/Admin/RecurringInvoice/RecurringInvoiceController.php @@ -84,7 +84,11 @@ class RecurringInvoiceController extends Controller { $this->authorize('delete multiple recurring invoices'); - RecurringInvoice::deleteRecurringInvoice($request->ids); + $ids = RecurringInvoice::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + RecurringInvoice::deleteRecurringInvoice($ids); return response()->json([ 'success' => true,