mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 22:35:19 +00:00
v3 port of the v2 authorization fixes. - Notes IDOR (GHSA-85wc): NotePolicy checks the note's company_id and NotesController passes the bound model to authorize() on show/update/destroy. - Estimate<->Invoice convert IDOR (GHSA-j2vg): EstimatesController::convertToInvoice and InvoicesController::convertToEstimate authorize 'view' on the source document before creating the target. - Member bulk-delete (GHSA-wxrv): MembersController scopes ids via User::whereCompany() before MemberService::delete. Adds feature tests for cross-company 403s + same-company happy paths.
94 lines
2.4 KiB
PHP
94 lines
2.4 KiB
PHP
<?php
|
|
|
|
use App\Models\Company;
|
|
use App\Models\Note;
|
|
use App\Models\User;
|
|
use Illuminate\Support\Facades\Artisan;
|
|
use Laravel\Sanctum\Sanctum;
|
|
|
|
use function Pest\Laravel\deleteJson;
|
|
use function Pest\Laravel\getJson;
|
|
use function Pest\Laravel\postJson;
|
|
use function Pest\Laravel\putJson;
|
|
|
|
beforeEach(function () {
|
|
Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
|
|
Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
|
|
|
|
$user = User::find(1);
|
|
$this->withHeaders([
|
|
'company' => $user->companies()->first()->id,
|
|
]);
|
|
Sanctum::actingAs(
|
|
$user,
|
|
['*']
|
|
);
|
|
});
|
|
|
|
test('retrieve notes', function () {
|
|
getJson('/api/v1/notes')->assertStatus(200);
|
|
});
|
|
|
|
test('create note', function () {
|
|
$note = Note::factory()->raw();
|
|
|
|
postJson('/api/v1/notes', $note)->assertStatus(201);
|
|
|
|
$this->assertDatabaseHas('notes', $note);
|
|
});
|
|
|
|
test('retrieve note', function () {
|
|
$note = Note::factory()->create();
|
|
|
|
getJson("/api/v1/notes/{$note->id}")
|
|
->assertStatus(200);
|
|
});
|
|
|
|
test('update note', function () {
|
|
$note = Note::factory()->create();
|
|
|
|
$data = Note::factory()->raw();
|
|
|
|
putJson("/api/v1/notes/{$note->id}", $data)
|
|
->assertStatus(200);
|
|
|
|
$this->assertDatabaseHas('notes', $data);
|
|
});
|
|
|
|
test('delete note', function () {
|
|
$note = Note::factory()->create();
|
|
|
|
deleteJson("/api/v1/notes/{$note->id}")
|
|
->assertStatus(200)
|
|
->assertJson([
|
|
'success' => true,
|
|
]);
|
|
|
|
$this->assertModelMissing($note);
|
|
});
|
|
|
|
test('cannot retrieve a note belonging to another company', function () {
|
|
$note = Note::factory()->create(['company_id' => Company::factory()->create()->id]);
|
|
|
|
getJson("/api/v1/notes/{$note->id}")->assertStatus(403);
|
|
});
|
|
|
|
test('cannot update a note belonging to another company', function () {
|
|
$note = Note::factory()->create([
|
|
'company_id' => Company::factory()->create()->id,
|
|
'name' => 'original-name',
|
|
]);
|
|
|
|
putJson("/api/v1/notes/{$note->id}", Note::factory()->raw())->assertStatus(403);
|
|
|
|
$this->assertDatabaseHas('notes', ['id' => $note->id, 'name' => 'original-name']);
|
|
});
|
|
|
|
test('cannot delete a note belonging to another company', function () {
|
|
$note = Note::factory()->create(['company_id' => Company::factory()->create()->id]);
|
|
|
|
deleteJson("/api/v1/notes/{$note->id}")->assertStatus(403);
|
|
|
|
$this->assertModelExists($note);
|
|
});
|