From 4f5d5ef189b436eda0f6f6e68f66b7fbcc58ca31 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Mon, 30 Oct 2023 16:26:43 +1100
Subject: [PATCH] Fixes for authorization in bulk action routes

---
 app/Http/Controllers/InvoiceController.php       | 14 +++++++-------
 app/Http/Requests/Invoice/BulkInvoiceRequest.php |  1 +
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/app/Http/Controllers/InvoiceController.php b/app/Http/Controllers/InvoiceController.php
index 4de4263156da..d22a0d27cd87 100644
--- a/app/Http/Controllers/InvoiceController.php
+++ b/app/Http/Controllers/InvoiceController.php
@@ -487,13 +487,19 @@ class InvoiceController extends BaseController
         $user = auth()->user();
 
         $action = $request->input('action');
-
         $ids = $request->input('ids');
 
         if (Ninja::isHosted() && (stripos($action, 'email') !== false) && !$user->company()->account->account_sms_verified) {
             return response(['message' => 'Please verify your account to send emails.'], 400);
         }
 
+        /**@var \App\Models\User $user */
+        $user = auth()->user();
+
+        if(in_array($request->action, ['auto_bill','mark_paid']) && $user->cannot('create', \App\Models\Payment::class)) {
+            return response(['message' => ctrans('texts.not_authorized'), 'errors' => ['ids' => [ctrans('texts.not_authorized')]]], 422);
+        }
+
         $invoices = Invoice::withTrashed()->whereIn('id', $this->transformKeys($ids))->company()->get();
 
         if (! $invoices) {
@@ -651,9 +657,6 @@ class InvoiceController extends BaseController
         /*If we are using bulk actions, we don't want to return anything */
         switch ($action) {
             case 'auto_bill':
-                if($user->cannot('create', Payment::class)) {
-                    return $this->errorResponse(['message' => ctrans('texts.action_unavailable', ['action' => $action])], 400);
-                }
 
                 AutoBill::dispatch($invoice->id, $invoice->company->db);
                 return $this->itemResponse($invoice);
@@ -677,9 +680,6 @@ class InvoiceController extends BaseController
                 // code...
                 break;
             case 'mark_paid':
-                if($user->cannot('create', \App\Models\Payment::class))
-                    return $this->errorResponse(['message' => ctrans('texts.action_unavailable', ['action' => $action])], 400); 
-
                 if ($invoice->status_id == Invoice::STATUS_PAID || $invoice->is_deleted === true) {
                     return $this->errorResponse(['message' => ctrans('texts.invoice_cannot_be_marked_paid')], 400);
                 }
diff --git a/app/Http/Requests/Invoice/BulkInvoiceRequest.php b/app/Http/Requests/Invoice/BulkInvoiceRequest.php
index c46fe6db8069..e7d947d6fc93 100644
--- a/app/Http/Requests/Invoice/BulkInvoiceRequest.php
+++ b/app/Http/Requests/Invoice/BulkInvoiceRequest.php
@@ -12,6 +12,7 @@
 namespace App\Http\Requests\Invoice;
 
 use App\Http\Requests\Request;
+use App\Models\Payment;
 
 class BulkInvoiceRequest extends Request
 {