mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 22:05:20 +00:00
v3 port. Customer PDF controllers resolved the target document by raw mailable_id ignoring mailable_type, and skipped expiry on the JSON endpoints. - Resolve via $emailLog->mailable + assert the expected type (404) to close cross-type disclosure. - Enforce isExpired() (403) on every public path incl. the JSON endpoints. - Harden EmailLog::isExpired() against a null/unresolvable mailable. Adds tests for cross-type 404, JSON-path expiry 403, and the valid path.
47 lines
1.3 KiB
PHP
47 lines
1.3 KiB
PHP
<?php
|
|
|
|
namespace App\Models;
|
|
|
|
use Carbon\Carbon;
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
use Illuminate\Database\Eloquent\Relations\MorphTo;
|
|
|
|
class EmailLog extends Model
|
|
{
|
|
use HasFactory;
|
|
|
|
protected $guarded = ['id'];
|
|
|
|
public function mailable(): MorphTo
|
|
{
|
|
return $this->morphTo();
|
|
}
|
|
|
|
/**
|
|
* Check if the email log's public link has expired based on the owning
|
|
* company's link expiry settings (link_expiry_days and automatically_expire_public_links).
|
|
*/
|
|
public function isExpired(): bool
|
|
{
|
|
$mailable = $this->mailable;
|
|
|
|
// A token whose target document no longer resolves is treated as
|
|
// expired/invalid rather than throwing.
|
|
if (! $mailable) {
|
|
return true;
|
|
}
|
|
|
|
$linkExpiryDays = (int) CompanySetting::getSetting('link_expiry_days', $mailable->company_id);
|
|
$checkExpiryLinks = CompanySetting::getSetting('automatically_expire_public_links', $mailable->company_id);
|
|
|
|
$expiryDate = $this->created_at->addDays($linkExpiryDays);
|
|
|
|
if ($checkExpiryLinks == 'YES' && Carbon::now()->format('Y-m-d') > $expiryDate->format('Y-m-d')) {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|