From 5320b953db6e160c595d4a7790f5af37a4bb2451 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Thu, 12 Jan 2023 13:40:26 +1100
Subject: [PATCH] Fix for data leak on products route when using the ?with
 filter

---
 app/Filters/QueryFilters.php                      |  3 ++-
 app/Services/Subscription/SubscriptionService.php | 11 ++++-------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/app/Filters/QueryFilters.php b/app/Filters/QueryFilters.php
index 91752e747360..a735d70ffdca 100644
--- a/app/Filters/QueryFilters.php
+++ b/app/Filters/QueryFilters.php
@@ -251,6 +251,7 @@ abstract class QueryFilters
     {
         return $this->builder
             ->orWhere($this->with_property, $value)
-            ->orderByRaw("{$this->with_property} = ? DESC", [$value]);
+            ->orderByRaw("{$this->with_property} = ? DESC", [$value])
+            ->company();
     }
 }
diff --git a/app/Services/Subscription/SubscriptionService.php b/app/Services/Subscription/SubscriptionService.php
index f4439c922e59..ba5fe331a5ad 100644
--- a/app/Services/Subscription/SubscriptionService.php
+++ b/app/Services/Subscription/SubscriptionService.php
@@ -239,11 +239,6 @@ class SubscriptionService
                                 ->where('status_id', Invoice::STATUS_PAID)
                                 ->first();
 
-if($last_invoice)
-    nlog($last_invoice->toArray());
-else
-    nlog("no invoice found");
-
         $refund = $this->calculateProRataRefundForSubscription($last_invoice);
 
         if($use_credit_setting != 'off')
@@ -340,7 +335,7 @@ else
      */
     private function calculateProRataRefundForSubscription($invoice) :float
     {
-        if(!$invoice || !$invoice->date)
+        if(!$invoice || !$invoice->date || $invoice->status_id != Invoice::STATUS_PAID)
             return 0;
 
         $start_date = Carbon::parse($invoice->date);
@@ -486,7 +481,7 @@ else
                                          ->where('client_id', $recurring_invoice->client_id)
                                          ->where('is_proforma',0)
                                          ->where('is_deleted', 0)
-                                         ->where('status_id', Invoice::STATUS_PAID)
+                                         ->whereIn('status_id', [Invoice::STATUS_SENT, Invoice::STATUS_PARTIAL, Invoice::STATUS_PAID])
                                          ->withTrashed()
                                          ->orderBy('id', 'desc')
                                          ->first();
@@ -626,6 +621,7 @@ else
 
         $last_invoice = Invoice::where('subscription_id', $recurring_invoice->subscription_id)
                                          ->where('client_id', $recurring_invoice->client_id)
+                                         ->where('is_proforma',0)
                                          ->where('is_deleted', 0)
                                          ->withTrashed()
                                          ->orderBy('id', 'desc')
@@ -673,6 +669,7 @@ else
         $last_invoice = Invoice::where('subscription_id', $recurring_invoice->subscription_id)
                                          ->where('client_id', $recurring_invoice->client_id)
                                          ->where('is_deleted', 0)
+                                         ->where('is_proforma',0)
                                          ->withTrashed()
                                          ->orderBy('id', 'desc')
                                          ->first();