Prevent cross site migration (#3594)

- php-cs-fixer applied
- Added new 'cross_migration_message'
- errors.blade.php - unescape characters

app/Http/Controllers/Migration/StepsController.php

@@ -76,7 +76,7 @@ class StepsController extends BaseController
     {
         session()->put('MIGRATION_TYPE', $request->option);
 
-        if($request->option == 0)
+        if ($request->option == 0)
             return redirect('/migration/auth');
 
         return redirect('/migration/endpoint');
@@ -84,7 +84,7 @@ class StepsController extends BaseController
 
     public function endpoint()
     {
-        if($this->shouldGoBack('endpoint'))
+        if ($this->shouldGoBack('endpoint'))
             return redirect($this->access['endpoint']['redirect']);
 
         return view('migration.endpoint');
@@ -92,7 +92,7 @@ class StepsController extends BaseController
 
     public function handleEndpoint(MigrationEndpointRequest $request)
     {
-        if($this->shouldGoBack('endpoint'))
+        if ($this->shouldGoBack('endpoint'))
             return redirect($this->access['endpoint']['redirect']);
 
         session()->put('MIGRATION_ENDPOINT', $request->endpoint);
@@ -102,23 +102,27 @@ class StepsController extends BaseController
 
     public function auth()
     {
-        if($this->shouldGoBack('auth'))
+        if ($this->shouldGoBack('auth'))
             return redirect($this->access['auth']['redirect']);
 
         return view('migration.auth');
     }
 
     public function handleAuth(MigrationAuthRequest $request)
-    {   
+    {
-        if($this->shouldGoBack('auth')) {
+        if ($this->shouldGoBack('auth')) {
             return redirect($this->access['auth']['redirect']);
         }
 
+        if (auth()->user()->email !== $request->email) {
+            return back()->with('responseErrors', [trans('texts.cross_migration_message')]);
+        }
+
         $authentication = (new AuthService($request->email, $request->password))
             ->endpoint(session('MIGRATION_ENDPOINT'))
             ->start();
 
-        if($authentication->isSuccessful()) {
+        if ($authentication->isSuccessful()) {
             session()->put('MIGRATION_ACCOUNT_TOKEN', $authentication->getAccountToken());
 
             return redirect('/migration/companies');
@@ -129,15 +133,15 @@ class StepsController extends BaseController
 
     public function companies()
     {
-        if($this->shouldGoBack('companies'))
+        if ($this->shouldGoBack('companies'))
             return redirect($this->access['companies']['redirect']);
 
         $companyService = (new CompanyService(session('MIGRATION_ACCOUNT_TOKEN')))
             ->endpoint(session('MIGRATION_ENDPOINT'))
             ->start();
 
-        if($companyService->isSuccessful()) {
+        if ($companyService->isSuccessful()) {
-            return view('migration.companies', ['companies' => $companyService->getCompanies()]);    
+            return view('migration.companies', ['companies' => $companyService->getCompanies()]);
         }
 
         return response()->json([
@@ -147,16 +151,16 @@ class StepsController extends BaseController
 
     public function handleCompanies(MigrationCompaniesRequest $request)
     {
-        if($this->shouldGoBack('companies'))
+        if ($this->shouldGoBack('companies'))
             return redirect($this->access['companies']['redirect']);
 
         foreach ($request->companies as $company) {
             $completeService = (new CompleteService(session('MIGRATION_ACCOUNT_TOKEN')))
-            ->file($this->getMigrationFile())
+                ->file($this->getMigrationFile())
-            ->force(array_key_exists('force', $company))
+                ->force(array_key_exists('force', $company))
-            ->company($company['id'])
+                ->company($company['id'])
-            ->endpoint(session('MIGRATION_ENDPOINT'))
+                ->endpoint(session('MIGRATION_ENDPOINT'))
-            ->start();
+                ->start();
         }
 
         return view('migration.completed');
@@ -178,9 +182,9 @@ class StepsController extends BaseController
         $redirect = true;
 
         foreach ($this->access[$step]['steps'] as $step) {
-            if(session()->has($step)) {
+            if (session()->has($step)) {
                 $redirect = false;
-            }  else {
+            } else {
                 $redirect = true;
             }
         }

resources/lang/en/texts.php

@@ -3535,6 +3535,7 @@ $LANG = array(
     'marked_credit_as_sent' => 'Successfully marked credit as sent',
     'email_subject_payment_partial' => 'Email Partial Payment Subject',
     'is_approved' => 'Is Approved',
+    'cross_migration_message' => 'Cross account migration is not allowed. Please read more about it here: <a href="https://invoiceninja.github.io/cross-site-migration.html">https://invoiceninja.github.io/cross-site-migration.html</a>'
 );
 
 return $LANG;

resources/views/migration/includes/errors.blade.php

@@ -1,9 +1,7 @@
 @if(session('responseErrors'))
 <div class="alert alert-danger">
-    <ul>
+    @foreach(session('responseErrors') as $error)
-        @foreach(session('responseErrors') as $error)
+        <p>{!! $error !!}</p>
-        <li>{{ $error }}</li>
+    @endforeach
-        @endforeach
-    </ul>
 </div>
 @endif