Fix permission issue with quotes

2025-06-03 08:24:34 -04:00 · 2016-05-26 15:50:23 +03:00 · 2016-05-26 15:50:23 +03:00 · 29bccd650d
commit 29bccd650d
parent 84736dac9d
2 changed files with 17 additions and 8 deletions
--- a/app/Http/Controllers/QuoteController.php
+++ b/app/Http/Controllers/QuoteController.php
@ -113,16 +113,16 @@ class QuoteController extends BaseController
        $rates = TaxRate::scope()->orderBy('name')->get();
        $options = [];
        $defaultTax = false;
-        
+
        foreach ($rates as $rate) {
-            $options[$rate->rate . ' ' . $rate->name] = $rate->name . ' ' . ($rate->rate+0) . '%';            
-        
+            $options[$rate->rate . ' ' . $rate->name] = $rate->name . ' ' . ($rate->rate+0) . '%';
+
            // load default invoice tax
            if ($rate->id == $account->default_tax_rate_id) {
                $defaultTax = $rate;
            }
-        }     
-        
+        }
+
        return [
          'entityType' => ENTITY_QUOTE,
          'account' => Auth::user()->account,
@ -130,7 +130,7 @@ class QuoteController extends BaseController
          'taxRateOptions' => $options,
          'defaultTax' => $defaultTax,
          'countries' => Cache::get('countries'),
-          'clients' => Client::scope()->with('contacts', 'country')->orderBy('name')->get(),
+          'clients' => Client::scope()->viewable()->with('contacts', 'country')->orderBy('name')->get(),
          'taxRates' => TaxRate::scope()->orderBy('name')->get(),
          'currencies' => Cache::get('currencies'),
          'sizes' => Cache::get('sizes'),
--- a/app/Models/EntityModel.php
+++ b/app/Models/EntityModel.php
@ -30,7 +30,7 @@ class EntityModel extends Eloquent
        } else {
            $lastEntity = $className::scope(false, $entity->account_id);
        }
-        
+
        $lastEntity = $lastEntity->orderBy('public_id', 'DESC')
                        ->first();

@ -86,6 +86,15 @@ class EntityModel extends Eloquent
        return $query;
    }

+    public function scopeViewable($query)
+    {
+        if (Auth::check() && ! Auth::user()->hasPermission('view_all')) {
+            $query->where($this->getEntityType(). 's.user_id', '=', Auth::user()->id);
+        }
+
+        return $query;
+    }
+
    public function scopeWithArchived($query)
    {
        return $query->withTrashed()->where('is_deleted', '=', false);
@ -110,7 +119,7 @@ class EntityModel extends Eloquent
    {
        return 'App\\Ninja\\Transformers\\' . ucwords(Utils::toCamelCase($entityType)) . 'Transformer';
    }
-    
+
    public function setNullValues()
    {
        foreach ($this->fillable as $field) {