mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-04-09 14:34:47 +00:00
defbfc6406
* Fix CustomerPolicy missing hasCompany() check (cross-company IDOR) Add $user->hasCompany($customer->company_id) check to view, update, delete, restore, and forceDelete methods in CustomerPolicy, matching the pattern used by all other policies (InvoicePolicy, PaymentPolicy, EstimatePolicy, etc.). Without this check, a user in Company A with view-customer ability could access customers belonging to Company B by providing the target customer's ID. Add cross-company authorization tests to verify the fix. Closes #565 * Scope bulk delete to current company to prevent cross-company deletion Filter customer IDs through whereCompany() before passing to deleteCustomers(), ensuring users cannot delete customers belonging to other companies via the bulk delete endpoint.
106 lines
2.7 KiB
PHP
106 lines
2.7 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\V1\Admin\Customer;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use App\Http\Requests;
|
|
use App\Http\Requests\DeleteCustomersRequest;
|
|
use App\Http\Resources\CustomerResource;
|
|
use App\Models\Customer;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
|
|
class CustomersController extends Controller
|
|
{
|
|
/**
|
|
* Display a listing of the resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function index(Request $request)
|
|
{
|
|
$this->authorize('viewAny', Customer::class);
|
|
|
|
$limit = $request->has('limit') ? $request->limit : 10;
|
|
|
|
$customers = Customer::with('creator')
|
|
->whereCompany()
|
|
->applyFilters($request->all())
|
|
->withSum('invoices as base_due_amount', 'base_due_amount')
|
|
->withSum('invoices as due_amount', 'due_amount')
|
|
->paginateData($limit);
|
|
|
|
return CustomerResource::collection($customers)
|
|
->additional(['meta' => [
|
|
'customer_total_count' => Customer::whereCompany()->count(),
|
|
]]);
|
|
}
|
|
|
|
/**
|
|
* Store a newly created resource in storage.
|
|
*
|
|
* @param Request $request
|
|
* @return JsonResponse
|
|
*/
|
|
public function store(Requests\CustomerRequest $request)
|
|
{
|
|
$this->authorize('create', Customer::class);
|
|
|
|
$customer = Customer::createCustomer($request);
|
|
|
|
return new CustomerResource($customer);
|
|
}
|
|
|
|
/**
|
|
* Display the specified resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function show(Customer $customer)
|
|
{
|
|
$this->authorize('view', $customer);
|
|
|
|
return new CustomerResource($customer);
|
|
}
|
|
|
|
/**
|
|
* Update the specified resource in storage.
|
|
*
|
|
* @param Request $request
|
|
* @return JsonResponse
|
|
*/
|
|
public function update(Requests\CustomerRequest $request, Customer $customer)
|
|
{
|
|
$this->authorize('update', $customer);
|
|
|
|
$customer = Customer::updateCustomer($request, $customer);
|
|
|
|
if (is_string($customer)) {
|
|
return respondJson('you_cannot_edit_currency', 'Cannot change currency once transactions created');
|
|
}
|
|
|
|
return new CustomerResource($customer);
|
|
}
|
|
|
|
/**
|
|
* Remove a list of Customers along side all their resources (ie. Estimates, Invoices, Payments and Addresses)
|
|
*
|
|
* @param Request $request
|
|
* @return JsonResponse
|
|
*/
|
|
public function delete(DeleteCustomersRequest $request)
|
|
{
|
|
$this->authorize('delete multiple customers');
|
|
|
|
$ids = Customer::whereCompany()
|
|
->whereIn('id', $request->ids)
|
|
->pluck('id');
|
|
|
|
Customer::deleteCustomers($ids);
|
|
|
|
return response()->json([
|
|
'success' => true,
|
|
]);
|
|
}
|
|
}
|