diff --git a/app/Http/Controllers/V1/Admin/Customer/CustomersController.php b/app/Http/Controllers/V1/Admin/Customer/CustomersController.php index d0a73186..3dbe5846 100644 --- a/app/Http/Controllers/V1/Admin/Customer/CustomersController.php +++ b/app/Http/Controllers/V1/Admin/Customer/CustomersController.php @@ -92,7 +92,11 @@ class CustomersController extends Controller { $this->authorize('delete multiple customers'); - Customer::deleteCustomers($request->ids); + $ids = Customer::whereCompany() + ->whereIn('id', $request->ids) + ->pluck('id'); + + Customer::deleteCustomers($ids); return response()->json([ 'success' => true, diff --git a/app/Policies/CustomerPolicy.php b/app/Policies/CustomerPolicy.php index aa2feccb..02ad2fa3 100644 --- a/app/Policies/CustomerPolicy.php +++ b/app/Policies/CustomerPolicy.php @@ -32,7 +32,7 @@ class CustomerPolicy */ public function view(User $user, Customer $customer): bool { - if (BouncerFacade::can('view-customer', $customer)) { + if (BouncerFacade::can('view-customer', $customer) && $user->hasCompany($customer->company_id)) { return true; } @@ -60,7 +60,7 @@ class CustomerPolicy */ public function update(User $user, Customer $customer): bool { - if (BouncerFacade::can('edit-customer', $customer)) { + if (BouncerFacade::can('edit-customer', $customer) && $user->hasCompany($customer->company_id)) { return true; } @@ -74,7 +74,7 @@ class CustomerPolicy */ public function delete(User $user, Customer $customer): bool { - if (BouncerFacade::can('delete-customer', $customer)) { + if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) { return true; } @@ -88,7 +88,7 @@ class CustomerPolicy */ public function restore(User $user, Customer $customer): bool { - if (BouncerFacade::can('delete-customer', $customer)) { + if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) { return true; } @@ -102,7 +102,7 @@ class CustomerPolicy */ public function forceDelete(User $user, Customer $customer): bool { - if (BouncerFacade::can('delete-customer', $customer)) { + if (BouncerFacade::can('delete-customer', $customer) && $user->hasCompany($customer->company_id)) { return true; } diff --git a/tests/Feature/Admin/CustomerTest.php b/tests/Feature/Admin/CustomerTest.php index 33f3ec09..731a4e34 100644 --- a/tests/Feature/Admin/CustomerTest.php +++ b/tests/Feature/Admin/CustomerTest.php @@ -2,6 +2,7 @@ use App\Http\Controllers\V1\Admin\Customer\CustomersController; use App\Http\Requests\CustomerRequest; +use App\Models\Company; use App\Models\Customer; use App\Models\Invoice; use App\Models\User; @@ -157,3 +158,40 @@ test('delete multiple customer', function () { 'success' => true, ]); }); + +test('cannot view customer from another company', function () { + $otherCompany = Company::factory()->create(); + $otherCustomer = Customer::factory()->create([ + 'company_id' => $otherCompany->id, + ]); + + getJson("api/v1/customers/{$otherCustomer->id}") + ->assertForbidden(); +}); + +test('cannot update customer from another company', function () { + $otherCompany = Company::factory()->create(); + $otherCustomer = Customer::factory()->create([ + 'company_id' => $otherCompany->id, + ]); + + putJson("api/v1/customers/{$otherCustomer->id}", [ + 'name' => 'Hacked Name', + 'email' => 'hacked@example.com', + ])->assertForbidden(); +}); + +test('cannot bulk delete customer from another company', function () { + $otherCompany = Company::factory()->create(); + $otherCustomer = Customer::factory()->create([ + 'company_id' => $otherCompany->id, + ]); + + postJson('api/v1/customers/delete', [ + 'ids' => [$otherCustomer->id], + ])->assertOk(); + + $this->assertDatabaseHas('customers', [ + 'id' => $otherCustomer->id, + ]); +});