Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-06-05 04:34:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

fixes for leaking bank transactions

Browse Source
This commit is contained in:
David Bomba 2022-11-14 10:02:01 +11:00
parent 59afb55963
commit 27936bfb7d
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Controllers/BaseController.php
View File

@ -12,6 +12,7 @@
namespace App\Http\Controllers; namespace App\Http\Controllers;
use App\Models\Account; use App\Models\Account;
use App\Models\BankTransaction;
use App\Models\Company; use App\Models\Company;
use App\Models\User; use App\Models\User;
use App\Transformers\ArraySerializer; use App\Transformers\ArraySerializer;
@ -819,12 +820,15 @@ class BaseController extends Controller
// 10-01-2022 need to ensure we snake case properly here to ensure permissions work as expected // 10-01-2022 need to ensure we snake case properly here to ensure permissions work as expected
// 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) { if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
//06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user') if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user')
$query->where('id', auth()->user()->id); $query->where('id', auth()->user()->id);
elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term','bank_transaction'])){ elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id
$query->where('user_id', '=', auth()->user()->id);
}
elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){
//need to pass these back regardless //need to pass these back regardless
nlog($this->entity_type);
} }
else else
$query->where('user_id', '=', auth()->user()->id)->orWhere('assigned_user_id', auth()->user()->id); $query->where('user_id', '=', auth()->user()->id)->orWhere('assigned_user_id', auth()->user()->id);