QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-12 15:57:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add company ownership check to clone endpoints

Browse Source 
Verify the source record belongs to the current company before cloning.
Previously, users could clone invoices/estimates from other companies,
leaking sensitive data (amounts, customer details, items, taxes, notes).

The view policy already includes hasCompany() check, so authorizing
view on the source record gates both ability and company ownership.

Ref #574
This commit is contained in:
Darko Gjorgjijoski
2026-04-03 14:25:43 +02:00
parent 1adebe85b9
commit 3a1bfd3824
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/Http/Controllers/V1/Admin/Estimate/CloneEstimateController.php
View File

@@ -21,6 +21,7 @@ class CloneEstimateController extends Controller
*/
public function __invoke(Request $request, Estimate $estimate)
{
$this->authorize('view', $estimate);
$this->authorize('create', Estimate::class);
$date = Carbon::now();

1
app/Http/Controllers/V1/Admin/Invoice/CloneInvoiceController.php
View File

@@ -21,6 +21,7 @@ class CloneInvoiceController extends Controller
*/
public function __invoke(Request $request, Invoice $invoice)
{
$this->authorize('view', $invoice);
$this->authorize('create', Invoice::class);
$date = Carbon::now();