Fix for data leak on products route when using the ?with filter

2025-07-09 03:14:30 -04:00 · 2023-01-12 13:40:26 +11:00 · 2023-01-12 13:40:26 +11:00 · 5320b953db
commit 5320b953db
parent 0885b2a7c1
2 changed files with 6 additions and 8 deletions
--- a/app/Filters/QueryFilters.php
+++ b/app/Filters/QueryFilters.php
@ -251,6 +251,7 @@ abstract class QueryFilters
    {
        return $this->builder
            ->orWhere($this->with_property, $value)
-            ->orderByRaw("{$this->with_property} = ? DESC", [$value]);
+            ->orderByRaw("{$this->with_property} = ? DESC", [$value])
+            ->company();
    }
 }
--- a/app/Services/Subscription/SubscriptionService.php
+++ b/app/Services/Subscription/SubscriptionService.php
@ -239,11 +239,6 @@ class SubscriptionService
                                ->where('status_id', Invoice::STATUS_PAID)
                                ->first();

-if($last_invoice)
-    nlog($last_invoice->toArray());
-else
-    nlog("no invoice found");
-
        $refund = $this->calculateProRataRefundForSubscription($last_invoice);

        if($use_credit_setting != 'off')
@ -340,7 +335,7 @@ else
     */
    private function calculateProRataRefundForSubscription($invoice) :float
    {
-        if(!$invoice || !$invoice->date)
+        if(!$invoice || !$invoice->date || $invoice->status_id != Invoice::STATUS_PAID)
            return 0;

        $start_date = Carbon::parse($invoice->date);
@ -486,7 +481,7 @@ else
                                         ->where('client_id', $recurring_invoice->client_id)
                                         ->where('is_proforma',0)
                                         ->where('is_deleted', 0)
-                                         ->where('status_id', Invoice::STATUS_PAID)
+                                         ->whereIn('status_id', [Invoice::STATUS_SENT, Invoice::STATUS_PARTIAL, Invoice::STATUS_PAID])
                                         ->withTrashed()
                                         ->orderBy('id', 'desc')
                                         ->first();
@ -626,6 +621,7 @@ else

        $last_invoice = Invoice::where('subscription_id', $recurring_invoice->subscription_id)
                                         ->where('client_id', $recurring_invoice->client_id)
+                                         ->where('is_proforma',0)
                                         ->where('is_deleted', 0)
                                         ->withTrashed()
                                         ->orderBy('id', 'desc')
@ -673,6 +669,7 @@ else
        $last_invoice = Invoice::where('subscription_id', $recurring_invoice->subscription_id)
                                         ->where('client_id', $recurring_invoice->client_id)
                                         ->where('is_deleted', 0)
+                                         ->where('is_proforma',0)
                                         ->withTrashed()
                                         ->orderBy('id', 'desc')
                                         ->first();