mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 06:15:20 +00:00
v3 port. Customer PDF controllers resolved the target document by raw mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints. - Resolve via $emailLog->mailable + assert the expected type (404) to close cross-type disclosure. - Enforce isExpired() (403) on every public path incl. the JSON endpoints. - Harden EmailLog::isExpired() against a null/unresolvable mailable. Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
31 lines
831 B
PHP
31 lines
831 B
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\CustomerPortal;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use App\Http\Resources\PaymentResource;
|
|
use App\Models\EmailLog;
|
|
use App\Models\Payment;
|
|
use Illuminate\Http\Request;
|
|
|
|
class PaymentPdfController extends Controller
|
|
{
|
|
public function getPdf(EmailLog $emailLog, Request $request)
|
|
{
|
|
$payment = $emailLog->mailable;
|
|
abort_unless($payment instanceof Payment, 404);
|
|
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
|
|
|
return $payment->getGeneratedPDFOrStream('payment');
|
|
}
|
|
|
|
public function getPayment(EmailLog $emailLog)
|
|
{
|
|
$payment = $emailLog->mailable;
|
|
abort_unless($payment instanceof Payment, 404);
|
|
abort_if($emailLog->isExpired(), 403, 'Link Expired.');
|
|
|
|
return new PaymentResource($payment);
|
|
}
|
|
}
|