Commit Graph

47 Commits

Author SHA1 Message Date
Darko Gjorgjijoski
6f45b58933 feat(updater): disable the in-app updater in containerized installs
Consume the injected CONTAINERIZED flag: expose it on /app/version, block the update endpoints + console command, and show a 'docker compose pull' panel instead of the updater.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 23:43:18 +02:00
Darko Gjorgjijoski
734ac9421d fix(users): scope user view & update to the acting company
User view/update authorized only that the requester owns their active company, not that the target user belonged to it, allowing an owner of one company to read or modify users of another. Require shared company membership in UserPolicy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 23:43:18 +02:00
Darko Gjorgjijoski
107a951126 fix(security): recompute document totals server-side (GHSA-8c69) (#665)
Invoice/estimate/recurring-invoice creation and update accepted total,
sub_total, tax and due_amount straight from the request with no server-side
recalculation, so a client could persist financial totals that don't match the
line items (and, on invoice update, corrupt the due-amount/paid-amount logic
which keyed off the client total).

- Adds App\Support\DocumentTotals which recomputes item totals (round(price *
  quantity) minus per-item discount) and document totals (sub_total, tax with
  per-item vs document and tax_included handling, total, due_amount), mirroring
  the front-end calculation. Only price/quantity/discounts/tax-line amounts are
  trusted.
- getInvoicePayload/getEstimatePayload/getRecurringInvoicePayload override the
  client totals with the recomputed values; createItems recomputes each stored
  item total; Invoice::updateInvoice keys its due-amount/paid-amount logic off
  the recomputed total instead of the request total.

Adds DocumentTotals unit tests + a feature test proving a tampered invoice
total is ignored. Existing create/update tests no longer assert the (now
server-authoritative) derived totals.
2026-06-12 09:30:44 +02:00
Darko Gjorgjijoski
5839d8385d fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#662)
Customer PDF controllers resolved the target document by raw mailable_id,
ignoring mailable_type, and skipped the expiry check on the JSON endpoints.

- Resolve via the $emailLog->mailable morph relation and assert the expected
  type (abort 404) so a token issued for one document type can't disclose
  another whose numeric id collides.
- Enforce isExpired() (abort 403) on every public path, including the JSON
  getInvoice/getEstimate/getPayment endpoints.
- Harden EmailLog::isExpired() to treat a null/unresolvable mailable as
  expired instead of throwing.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
2026-06-12 09:18:16 +02:00
Darko Gjorgjijoski
e432e4e62f fix(security): enforce company scope on notes, estimate-convert, and user bulk-delete (#661)
- Notes IDOR (GHSA-85wc): NotePolicy::viewNotes/manageNotes now receive the
  Note and require hasCompany($note->company_id); NotesController passes the
  bound model to authorize() on show/update/destroy.
- Estimate->Invoice IDOR (GHSA-j2vg): ConvertEstimateController authorizes
  'view' on the source estimate before creating the invoice.
- User bulk-delete (GHSA-wxrv): UsersController scopes candidate ids via
  User::whereCompany() before deletion so cross-company accounts are protected.

Adds feature tests for cross-company 403s plus same-company happy paths.
2026-06-12 09:17:52 +02:00
Darko Gjorgjijoski
c9d623a0dd Revert "Export system"
This reverts commit a79c4ec5ee.
2026-06-11 08:36:05 +02:00
mchev
a79c4ec5ee Export system 2026-06-04 17:20:00 +02:00
mchev
d2736b1c46 Merge pull request #616 from mchev/taxdecimal
Support 3-decimal tax percentages (e.g. 6.625%)
2026-04-08 09:28:44 +02:00
mchev
beb2a43ed3 Duplicate expense 2026-04-07 19:00:07 +02:00
mchev
7a25a15877 Increasing tax decimal 2026-04-07 18:35:30 +02:00
Darko Gjorgjijoski
defbfc6406 Fix CustomerPolicy missing hasCompany() check (IDOR) (#604)
* Fix CustomerPolicy missing hasCompany() check (cross-company IDOR)

Add $user->hasCompany($customer->company_id) check to view, update,
delete, restore, and forceDelete methods in CustomerPolicy, matching
the pattern used by all other policies (InvoicePolicy, PaymentPolicy,
EstimatePolicy, etc.).

Without this check, a user in Company A with view-customer ability
could access customers belonging to Company B by providing the target
customer's ID.

Add cross-company authorization tests to verify the fix.

Closes #565

* Scope bulk delete to current company to prevent cross-company deletion

Filter customer IDs through whereCompany() before passing to
deleteCustomers(), ensuring users cannot delete customers belonging
to other companies via the bulk delete endpoint.
2026-04-03 13:56:34 +02:00
Corey Salzano
aafcf147cf Updates the "create backup" test to handle the disk prefix. 2026-03-24 23:00:47 -04:00
Christos Yiakoumettis
3e96297699 Add expense number at Expenses (#406)
* add expense number at expenses

* Re-order expense fields

* Rename expense_number migration

* Add expense_number to tests

---------

Co-authored-by: Darko Gjorgjijoski <dg@darkog.com>
2025-09-02 03:20:27 +02:00
Fabio Ribeiro
d69a56e2d5 feat: Tax included (#370)
* feat: Tax included

* Added a toggle switch in tax settings to enable the feature.
* Database migration adding tax_included field into estimates, invoices
  and recurring invoices table.
* Toggle switch to enable and store the tax_included by estimates,
  invoices and recurring invoices.
* In case of tax included enabled, total taxes will be recalculated and
  the invoices, estimates and recurring invoices total won't be sum with
  taxes.
* Apply tax included when discount_per_item/tax_per_item item is enabled.
* Custom component to show the net total when tax included is enabled.
* Update invoice and estimates pdfs with net total.

* chore: Tax included by default

A switch button inside the tax settings to enable the tax included by
default in invoices, estimates and recurring invoices.
2025-08-28 10:28:24 +02:00
mchev
bf5b544ca3 Adding Flat Tax support with fixed amount (#253)
* Possibility to set a fixed amount on tax types settings

* Pint and manage flat taxes on items

* Fix display errors and handle global taxes

* Tests

* Pint with PHP 8.2 cause with PHP 8.3 version it cause workflow error

* Merging percent and fixed amount into one column

* Now display the currency on SelectTaxPopup on fixed taxes
2025-05-04 02:24:56 +02:00
Darko Gjorgjijoski
e9e52c60a7 Reformat with pint 2025-01-12 18:37:08 +01:00
mchev
967c225df9 Merge pull request #198 from mchev/invoice_cancellation
Support for Zero and Negative Item Quantities on Invoices
2024-11-02 12:20:55 +01:00
mchev
bb8258036a Clone estimates (#97)
* Clone estimates

* Clone estimate test feature

* Resolve namespace

* Fix string to int for Carbon

* Fix homes routes and default queue key

* Move dropdown item below View and use the propper translation key
2024-06-06 12:16:41 +02:00
mchev
3259173066 Laravel 11 (#84)
* Convert string references to `::class`

PHP 5.5.9 adds the new static `class` property which provides the fully qualified class name. This is preferred over using strings for class names since the `class` property references are checked by PHP.

* Use Faker methods

Accessing Faker properties was deprecated in Faker 1.14.

* Convert route options to fluent methods

Laravel 8 adopts the tuple syntax for controller actions. Since the old options array is incompatible with this syntax, Shift converted them to use modern, fluent methods.

* Adopt class based routes

* Remove default `app` files

* Shift core files

* Streamline config files

* Set new `ENV` variables

* Default new `bootstrap/app.php`

* Re-register HTTP middleware

* Consolidate service providers

* Re-register service providers

* Re-register routes

* Re-register scheduled commands

* Bump Composer dependencies

* Use `<env>` tags for configuration

`<env>` tags have a lower precedence than system environment variables making it easier to overwrite PHPUnit configuration values in additional environments, such a CI.

Review this blog post for more details on configuration precedence when testing Laravel: https://jasonmccreary.me/articles/laravel-testing-configuration-precedence/

* Adopt anonymous migrations

* Rename `password_resets` table

* Convert `$casts` property to method

* Adopt Laravel type hints

* Mark base controller as `abstract`

* Remove `CreatesApplication` testing trait

* Shift cleanup

* Fix shift first issues

* Updating Rules for laravel 11, sanctum config and pint

* Fix Carbon issue on dashboard

* Temporary fix for tests while migration is issue fixed on laravel side

* Carbon needs numerical values, not strings

* Minimum php version

* Fix domain installation step not fetching the correct company_id

* Fix Role Policy wasn't properly registered

---------
2024-06-05 11:33:52 +02:00
gdarko
4ab92473e9 Setup pint & run code style fix 2024-01-29 04:46:01 -06:00
gdarko
fe09d2e54c Fix failing unit test after upgrading Pest to latest version 2024-01-29 08:34:37 +01:00
gdarko
dce2a57f3c Replace old references 2024-01-28 15:07:09 -06:00
Darko Gjorgjijoski
cd9df54c5b Upgrade to Laravel 10, Vite 5+ 2024-01-28 17:17:32 +01:00
Darko Gjorgjijoski
6b80b5f48d Change namespace 2024-01-27 23:53:20 +01:00
Mohit Panjwani
18507ddb6f new build 606 2022-03-06 12:39:21 +05:30
Thomas Calemark
2cadcad485 Fix currency settings error (#821)
* Fixed issue with currency error on change after transactions

* organized imports
2022-03-06 09:53:31 +05:30
Harsh Jagad
ab153963e4 Fix master issues 2022-02-19 09:50:46 +00:00
Mohit Panjwani
22f6a48b5b fix csfixer warnings 2022-01-11 16:54:15 +05:30
harshjagad20
9eae813c24 fix tests 2022-01-10 19:02:49 +05:30
Mohit Panjwani
bdea879273 v6 update 2022-01-10 16:06:17 +05:30
Mohit Panjwani
b770e6277f remove currency tests 2021-12-10 18:04:42 +05:30
Harsh Jagad
fe66b8bdb8 fix-tests-5.0.2 2021-12-07 11:53:56 +00:00
harshjagad20
88bfb38b56 solve unit tests 2021-12-01 13:25:24 +05:30
Mohit Panjwani
082d5cacf2 v5.0.0 update 2021-11-30 18:58:19 +05:30
Mohit Panjwani
433c6a7c44 fix tax test failure 2021-07-16 12:00:28 +05:30
Mohit Panjwani
2b80082996 Merge branch 'negative-tax-options' into 'master'
Solved negative tax options issue

See merge request mohit.panjvani/crater-web!735
2021-06-30 06:52:23 +00:00
gohil jayvirsinh
d1dd704cdf Add File based templates 2021-06-19 12:11:21 +00:00
harshjagad20
b2d4b7212b Added invoice test with negative tax 2021-06-02 16:25:20 +05:30
harshjagad20
b4956d38f7 Minor fix taxtype test 2021-06-01 16:33:07 +05:30
harshjagad20
ed966b02eb Added test for negative taxtype test 2021-06-01 16:32:06 +05:30
Mwikala Kangwa
9e98a96d61 Implement PHP CS Fixer and a coding standard to follow (#471)
* Create PHP CS Fixer config and add to CI workflow

* Run php cs fixer on project

* Add newline at end of file

* Update to use PHP CS Fixer v3

* Run v3 config on project

* Run seperate config in CI
2021-05-21 17:27:51 +05:30
Mohit Panjwani
2f32ff4d5b temporarily disable the user tests 2021-04-13 13:06:07 +05:30
Mohit Panjwani
fadba7fa3a fix send email tests 2021-04-12 14:40:10 +05:30
Mohit Panjwani
89ee58590c build version 400 2020-12-02 17:54:08 +05:30
raishvaria
ac431ca815 remove state & city stuff, Add listener version200 2019-11-25 13:46:57 +05:30
jayvirsinh_gohil
3f550da1f5 refactor namespace and update routes for api 2019-11-15 18:05:22 +05:30
Mohit Panjwani
bdf2ba51d6 init crater 2019-11-11 12:16:00 +05:30