Allow circumvention of client portal passwords using designated hash

app/Http/Controllers/ClientPortal/EntityViewController.php

@@ -33,17 +33,18 @@ class EntityViewController extends Controller
 
         $key = $entity_type.'_id';
 
-        $invitation = $invitation_entity::whereRaw('BINARY `key`= ?', [$invitation_key])->firstOrFail();
+        $invitation = $invitation_entity::whereRaw('BINARY `key`= ?', [$invitation_key])
+                                        ->with('contact.client')
+                                        ->firstOrFail();
 
         $contact = $invitation->contact;
+        $client = $contact->client;
+        $entity = $invitation->{$entity_type};
 
         if (is_null($contact->password) || empty($contact->password)) {
             return redirect("/client/password/reset?email={$contact->email}");
         }
 
-        $entity_class = sprintf('App\\Models\\%s', ucfirst($entity_type));
-        $entity = $entity_class::findOrFail($invitation->{$key});
-
         if ((bool) $invitation->contact->client->getSetting('enable_client_portal_password') !== false) {
             session()->flash("{$entity_type}_VIEW_{$entity->hashed_id}", true);
         }

app/Http/Controllers/ClientPortal/InvitationController.php

@@ -37,29 +37,34 @@ class InvitationController extends Controller
 
         $entity_obj = 'App\Models\\'.ucfirst($entity).'Invitation';
 
-        $invitation = $entity_obj::whereRaw('BINARY `key`= ?', [$invitation_key])->first();
+        $invitation = $entity_obj::whereRaw('BINARY `key`= ?', [$invitation_key])
+                                    ->with('contact.client')
+                                    ->firstOrFail();
 
-        if ($invitation) {
+        /* Return early if we have the correct client_hash embedded */
-            if ((bool) $invitation->contact->client->getSetting('enable_client_portal_password') !== false) {
-                $this->middleware('auth:contact');
-            } else {
-                auth()->guard('contact')->login($invitation->contact, true);
-            }
 
-            if (! request()->has('silent') && ! $invitation->viewed_date) {
+        if(request()->has('client_hash') && request()->input('client_hash') == $invitation->contact->client->client_hash) {
-//            if (!request()->has('silent')) {
+            auth()->guard('contact')->login($invitation->contact, true);
-
-                $invitation->markViewed();
-
-                event(new InvitationWasViewed($invitation->{$entity}, $invitation, $invitation->{$entity}->company, Ninja::eventVars()));
-
-                $this->fireEntityViewedEvent($invitation, $entity);
-            }
-
-            return redirect()->route('client.'.$entity.'.show', [$entity => $this->encodePrimaryKey($invitation->{$key})]);
-        } else {
-            abort(404);
         }
+        else if ((bool) $invitation->contact->client->getSetting('enable_client_portal_password') !== false) {
+            $this->middleware('auth:contact');
+        } 
+        else {
+            auth()->guard('contact')->login($invitation->contact, true);
+        }
+
+        if (auth()->guard('contact') && ! request()->has('silent') && ! $invitation->viewed_date) {
+
+            $invitation->markViewed();
+
+            event(new InvitationWasViewed($invitation->{$entity}, $invitation, $invitation->{$entity}->company, Ninja::eventVars()));
+
+            $this->fireEntityViewedEvent($invitation, $entity);
+        }
+
+        return redirect()->route('client.'.$entity.'.show', [$entity => $this->encodePrimaryKey($invitation->{$key})]);
+
+
     }
 
     private function fireEntityViewedEvent($invitation, $entity_string)

config/filesystems.php

@@ -13,7 +13,7 @@ return [
     |
     */
 
-    'default' => env('FILESYSTEM_DRIVER', 'local'),
+    'default' => env('FILESYSTEM_DRIVER', 'public'),
 
     /*
     |--------------------------------------------------------------------------