mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-04-09 22:44:48 +00:00
1adebe85b9
Bulk delete: filter IDs through whereCompany() before deleting in all controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring Invoices). Previously, any user could delete records from other companies by providing cross-company IDs. Transfer ownership: fix inverted hasCompany() check that allowed transferring company ownership to users who do NOT belong to the company, while blocking users who DO belong. Ref #567
95 lines
2.4 KiB
PHP
95 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\V1\Admin\Expense;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use App\Http\Requests\DeleteExpensesRequest;
|
|
use App\Http\Requests\ExpenseRequest;
|
|
use App\Http\Resources\ExpenseResource;
|
|
use App\Models\Expense;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
|
|
class ExpensesController extends Controller
|
|
{
|
|
/**
|
|
* Display a listing of the resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function index(Request $request)
|
|
{
|
|
$this->authorize('viewAny', Expense::class);
|
|
|
|
$limit = $request->has('limit') ? $request->limit : 10;
|
|
|
|
$expenses = Expense::with('category', 'creator', 'fields')
|
|
->whereCompany()
|
|
->leftJoin('customers', 'customers.id', '=', 'expenses.customer_id')
|
|
->join('expense_categories', 'expense_categories.id', '=', 'expenses.expense_category_id')
|
|
->applyFilters($request->all())
|
|
->select('expenses.*', 'expense_categories.name', 'customers.name as user_name')
|
|
->paginateData($limit);
|
|
|
|
return ExpenseResource::collection($expenses)
|
|
->additional(['meta' => [
|
|
'expense_total_count' => Expense::whereCompany()->count(),
|
|
]]);
|
|
}
|
|
|
|
/**
|
|
* Store a newly created resource in storage.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function store(ExpenseRequest $request)
|
|
{
|
|
$this->authorize('create', Expense::class);
|
|
|
|
$expense = Expense::createExpense($request);
|
|
|
|
return new ExpenseResource($expense);
|
|
}
|
|
|
|
/**
|
|
* Display the specified resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function show(Expense $expense)
|
|
{
|
|
$this->authorize('view', $expense);
|
|
|
|
return new ExpenseResource($expense);
|
|
}
|
|
|
|
/**
|
|
* Update the specified resource in storage.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function update(ExpenseRequest $request, Expense $expense)
|
|
{
|
|
$this->authorize('update', $expense);
|
|
|
|
$expense->updateExpense($request);
|
|
|
|
return new ExpenseResource($expense);
|
|
}
|
|
|
|
public function delete(DeleteExpensesRequest $request)
|
|
{
|
|
$this->authorize('delete multiple expenses');
|
|
|
|
$ids = Expense::whereCompany()
|
|
->whereIn('id', $request->ids)
|
|
->pluck('id');
|
|
|
|
Expense::destroy($ids);
|
|
|
|
return response()->json([
|
|
'success' => true,
|
|
]);
|
|
}
|
|
}
|