mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 06:15:20 +00:00
Member view/update bound the target user by global id and authorized only that the requester owns their active company, not that the target belonged to it. Bind the route model under the members param and require shared company membership in UserPolicy so an owner of one company can no longer read or modify users of another. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
113 lines
2.7 KiB
PHP
113 lines
2.7 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\Company\Members;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use App\Http\Requests\DeleteMemberRequest;
|
|
use App\Http\Requests\MemberRequest;
|
|
use App\Http\Resources\UserResource;
|
|
use App\Models\User;
|
|
use App\Services\Company\MemberService;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
|
|
class MembersController extends Controller
|
|
{
|
|
public function __construct(
|
|
private readonly MemberService $memberService,
|
|
) {}
|
|
|
|
/**
|
|
* Display a listing of the resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function index(Request $request)
|
|
{
|
|
$this->authorize('viewAny', User::class);
|
|
|
|
$limit = $request->has('limit') ? $request->limit : 10;
|
|
|
|
$user = $request->user();
|
|
|
|
$users = User::whereCompany()
|
|
->applyFilters($request->all())
|
|
->where('id', '<>', $user->id)
|
|
->latest()
|
|
->paginate($limit);
|
|
|
|
return UserResource::collection($users)
|
|
->additional(['meta' => [
|
|
'user_total_count' => User::whereCompany()->count(),
|
|
]]);
|
|
}
|
|
|
|
/**
|
|
* Store a newly created resource in storage.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function store(MemberRequest $request)
|
|
{
|
|
$this->authorize('create', User::class);
|
|
|
|
$user = $this->memberService->create($request);
|
|
|
|
return new UserResource($user);
|
|
}
|
|
|
|
/**
|
|
* Display the specified resource.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function show(User $member)
|
|
{
|
|
$this->authorize('view', $member);
|
|
|
|
return new UserResource($member);
|
|
}
|
|
|
|
/**
|
|
* Update the specified resource in storage.
|
|
*
|
|
* @return JsonResponse
|
|
*/
|
|
public function update(MemberRequest $request, User $member)
|
|
{
|
|
$this->authorize('update', $member);
|
|
|
|
$this->memberService->update($member, $request);
|
|
|
|
return new UserResource($member);
|
|
}
|
|
|
|
/**
|
|
* Display a listing of the resource.
|
|
*
|
|
* @param Request $request
|
|
* @return JsonResponse
|
|
*/
|
|
public function delete(DeleteMemberRequest $request)
|
|
{
|
|
$this->authorize('delete multiple users', User::class);
|
|
|
|
if ($request->users) {
|
|
// Scope the candidate ids to members of the acting company so a user
|
|
// from one company cannot delete accounts belonging to another.
|
|
$ids = User::whereCompany()
|
|
->whereIn('id', $request->users)
|
|
->pluck('id')
|
|
->toArray();
|
|
|
|
if ($ids) {
|
|
$this->memberService->delete($ids);
|
|
}
|
|
}
|
|
|
|
return response()->json([
|
|
'success' => true,
|
|
]);
|
|
}
|
|
}
|