Files
InvoiceShelf/app/Http/Controllers/V1/Customer/PaymentPdfController.php
Darko Gjorgjijoski 5839d8385d fix(security): harden public EmailLog token endpoints (GHSA-73q7) (#662)
Customer PDF controllers resolved the target document by raw mailable_id,
ignoring mailable_type, and skipped the expiry check on the JSON endpoints.

- Resolve via the $emailLog->mailable morph relation and assert the expected
  type (abort 404) so a token issued for one document type can't disclose
  another whose numeric id collides.
- Enforce isExpired() (abort 403) on every public path, including the JSON
  getInvoice/getEstimate/getPayment endpoints.
- Harden EmailLog::isExpired() to treat a null/unresolvable mailable as
  expired instead of throwing.

Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
2026-06-12 09:18:16 +02:00

31 lines
828 B
PHP

<?php
namespace App\Http\Controllers\V1\Customer;
use App\Http\Controllers\Controller;
use App\Http\Resources\PaymentResource;
use App\Models\EmailLog;
use App\Models\Payment;
use Illuminate\Http\Request;
class PaymentPdfController extends Controller
{
public function getPdf(EmailLog $emailLog, Request $request)
{
$payment = $emailLog->mailable;
abort_unless($payment instanceof Payment, 404);
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
return $payment->getGeneratedPDFOrStream('payment');
}
public function getPayment(EmailLog $emailLog)
{
$payment = $emailLog->mailable;
abort_unless($payment instanceof Payment, 404);
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
return new PaymentResource($payment);
}
}