QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-08 22:14:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f17c7be5f02c01d2ee4cf689257e025bb6753fa1
InvoiceShelf/app/Http/Controllers/V1/Admin/Invoice/InvoicesController.php
Darko Gjorgjijoski 1adebe85b9 Scope all bulk deletes to current company and fix inverted ownership transfer (#605) 
Bulk delete: filter IDs through whereCompany() before deleting in all
controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring
Invoices). Previously, any user could delete records from other companies
by providing cross-company IDs.

Transfer ownership: fix inverted hasCompany() check that allowed
transferring company ownership to users who do NOT belong to the company,
while blocking users who DO belong.

Ref #567
2026-04-03 14:16:42 +02:00

114 lines
2.7 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers\V1\Admin\Invoice;
use App\Http\Controllers\Controller;
use App\Http\Requests;
use App\Http\Requests\DeleteInvoiceRequest;
use App\Http\Resources\InvoiceResource;
use App\Jobs\GenerateInvoicePdfJob;
use App\Models\Invoice;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
class InvoicesController extends Controller
{
/**
* Display a listing of the resource.
*
* @return JsonResponse
*/
public function index(Request $request)
{
$this->authorize('viewAny', Invoice::class);
$limit = $request->input('limit', 10);
$invoices = Invoice::whereCompany()
->applyFilters($request->all())
->with('customer')
->latest()
->paginateData($limit);
return InvoiceResource::collection($invoices)
->additional(['meta' => [
'invoice_total_count' => Invoice::whereCompany()->count(),
]]);
}
/**
* Store a newly created resource in storage.
*
* @param Request $request
* @return JsonResponse
*/
public function store(Requests\InvoicesRequest $request)
{
$this->authorize('create', Invoice::class);
$invoice = Invoice::createInvoice($request);
if ($request->has('invoiceSend')) {
$invoice->send($request->subject, $request->body);
}
GenerateInvoicePdfJob::dispatch($invoice);
return new InvoiceResource($invoice);
}
/**
* Display the specified resource.
*
* @return JsonResponse
*/
public function show(Request $request, Invoice $invoice)
{
$this->authorize('view', $invoice);
return new InvoiceResource($invoice);
}
/**
* Update the specified resource in storage.
*
* @param Request $request
* @return JsonResponse
*/
public function update(Requests\InvoicesRequest $request, Invoice $invoice)
{
$this->authorize('update', $invoice);
$invoice = $invoice->updateInvoice($request);
if (is_string($invoice)) {
return respondJson($invoice, $invoice);
}
GenerateInvoicePdfJob::dispatch($invoice, true);
return new InvoiceResource($invoice);
}
/**
* delete the specified resources in storage.
*
* @param Request $request
* @return JsonResponse
*/
public function delete(DeleteInvoiceRequest $request)
{
$this->authorize('delete multiple invoices');
$ids = Invoice::whereCompany()
->whereIn('id', $request->ids)
->pluck('id');
Invoice::deleteInvoices($ids);
return response()->json([
'success' => true,
]);
}
}
Reference in New Issue View Git Blame Copy Permalink