Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-07-09 03:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Enhance bulk action guards + validation layer

Browse Source
This commit is contained in:
David Bomba 2023-01-22 16:34:47 +11:00
parent 33b3ea73b8
commit 5888252267
24 changed files with 208 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Controllers/BankIntegrationController.php
View File

@ -619,7 +619,7 @@ class BankIntegrationController extends BaseController
if(!$bank_account_id)
return response()->json(['message' => 'Not yet authenticated with Bank Integration service'], 400);
$bi = BankIntegration::withTrashed()->where('bank_account_id', $acc_id)->where('company_id', auth()->user()->company()->id)->firstOrFail();
$bi = BankIntegration::withTrashed()->where('bank_account_id', $acc_id)->company()->firstOrFail();
$yodlee = new Yodlee($bank_account_id);
$res = $yodlee->deleteAccount($acc_id);

18
app/Http/Controllers/ClientController.php
View File

@ -498,17 +498,19 @@ class ClientController extends BaseController
public function bulk(BulkClientRequest $request)
{
$ids = request()->input('ids');
$clients = Client::withTrashed()->whereIn('id', $this->transformKeys($ids))->cursor();
$action = $request->action;
$clients->each(function ($client, $key) use ($action) {
if (auth()->user()->can('edit', $client)) {
$this->client_repo->{$action}($client);
}
});
$clients = Client::withTrashed()
->company()
->whereIn('id', $request->ids)
->cursor()
->each(function ($client) use ($action) {
if (auth()->user()->can('edit', $client)) {
$this->client_repo->{$action}($client);
}
});
return $this->listResponse(Client::withTrashed()->whereIn('id', $this->transformKeys($ids)));
return $this->listResponse(Client::withTrashed()->company()->whereIn('id', $request->ids));
}
/**

3
app/Http/Controllers/CompanyGatewayController.php
View File

@ -505,11 +505,12 @@ class CompanyGatewayController extends BaseController
$company_gateways = CompanyGateway::withTrashed()
->whereIn('id',$this->transformKeys($ids))
->company()
->cursor()
->each(function ($company_gateway, $key) use ($action) {
$this->company_repo->{$action}($company_gateway);
});
return $this->listResponse(CompanyGateway::withTrashed()->whereIn('id', $this->transformKeys($ids)));
return $this->listResponse(CompanyGateway::withTrashed()->company()->whereIn('id', $this->transformKeys($ids)));
}
}

2
app/Http/Controllers/CompanyLedgerController.php
View File

@ -64,7 +64,7 @@ class CompanyLedgerController extends BaseController
*/
public function index(ShowCompanyLedgerRequest $request)
{
$company_ledger = CompanyLedger::whereCompanyId(auth()->user()->company()->id)->orderBy('id', 'ASC');
$company_ledger = CompanyLedger::where('company_id', auth()->user()->company()->id)->orderBy('id', 'ASC');
return $this->listResponse($company_ledger);
}

3
app/Http/Controllers/CreditController.php
View File

@ -498,7 +498,6 @@ class CreditController extends BaseController
public function bulk(BulkCreditRequest $request)
{
$action = $request->input('action');
$ids = $request->input('ids');
if(Ninja::isHosted() && (stripos($action, 'email') !== false) && !auth()->user()->company()->account->account_sms_verified)
@ -548,7 +547,7 @@ class CreditController extends BaseController
}
});
return $this->listResponse(Credit::withTrashed()->whereIn('id', $this->transformKeys($ids)));
return $this->listResponse(Credit::withTrashed()->company()->whereIn('id', $this->transformKeys($ids)));
}
public function action(ActionCreditRequest $request, Credit $credit, $action)

4
app/Http/Controllers/DesignController.php
View File

@ -520,7 +520,7 @@ class DesignController extends BaseController
$ids = request()->input('ids');
$designs = Design::withTrashed()->find($this->transformKeys($ids));
$designs = Design::withTrashed()->company()->whereIn('id', $this->transformKeys($ids));
$designs->each(function ($design, $key) use ($action) {
if (auth()->user()->can('edit', $design)) {
@ -528,7 +528,7 @@ class DesignController extends BaseController
}
});
return $this->listResponse(Design::withTrashed()->whereIn('id', $this->transformKeys($ids)));
return $this->listResponse(Design::withTrashed()->company()->whereIn('id', $this->transformKeys($ids)));
}
public function default(DefaultDesignRequest $request)

17
app/Http/Requests/Client/BulkClientRequest.php
View File

@ -12,9 +12,14 @@
namespace App\Http\Requests\Client;
use App\Http\Requests\Request;
use App\Models\Client;
use App\Utils\Traits\MakesHash;
use Illuminate\Validation\Rule;
class BulkClientRequest extends Request
{
use MakesHash;
/**
* Determine if the user is authorized to make this request.
*
@ -29,9 +34,19 @@ class BulkClientRequest extends Request
{
return [
'ids' => 'required|bail|array',
'ids' => ['required','bail','array',Rule::exists('clients','id')->where('company_id', auth()->user()->company()->id)],
'action' => 'in:archive,restore,delete'
];
}
public function prepareForValidation()
{
$input = $this->all();
if(isset($input['ids']))
$input['ids'] = $this->transformKeys($input['ids']);
$this->replace($input);
}
}

5
app/Models/Account.php
View File

@ -22,7 +22,7 @@ use App\Utils\Ninja;
use App\Utils\Traits\MakesHash;
use Carbon\Carbon;
use DateTime;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Illuminate\Database\Eloquent\ModelNotFoundException as ModelNotFoundException;
use Illuminate\Support\Facades\App;
use Illuminate\Support\Facades\Cache;
use Laracasts\Presenter\PresentableTrait;
@ -500,7 +500,8 @@ class Account extends BaseModel
}
return $this
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
->where('id', $this->decodePrimaryKey($value))
->firstOrFail();
}
public function getTrialDays()

28
app/Models/Activity.php
View File

@ -12,6 +12,7 @@
namespace App\Models;
use App\Utils\Traits\MakesHash;
use Illuminate\Database\Eloquent\ModelNotFoundException as ModelNotFoundException;
class Activity extends StaticModel
{
@ -374,17 +375,18 @@ class Activity extends StaticModel
return $this->belongsTo(Company::class);
}
/**
* @return mixed
*/
public function resolveRouteBinding($value, $field = null)
{
if (is_numeric($value)) {
throw new ModelNotFoundException("Record with value {$value} not found");
}
// /**
// * @return mixed
// */
// public function resolveRouteBinding($value, $field = null)
// {
// if (is_numeric($value)) {
// throw new ModelNotFoundException("Record with value {$value} not found");
// }
return $this
//->withTrashed()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}
}
// return $this
// //->withTrashed()
// ->where('id', $this->decodePrimaryKey($value))->firstOrFail();
// }
}

1
app/Models/BaseModel.php
View File

@ -174,6 +174,7 @@ class BaseModel extends Model
return $this
->withTrashed()
->company()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}

1
app/Models/ClientContact.php
View File

@ -240,6 +240,7 @@ class ClientContact extends Authenticatable implements HasLocalePreference
{
return $this
->withTrashed()
->company()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}

24
app/Models/ClientGatewayToken.php
View File

@ -70,16 +70,16 @@ class ClientGatewayToken extends BaseModel
return $this->belongsTo(User::class)->withTrashed();
}
/**
* Retrieve the model for a bound value.
*
* @param mixed $value
* @param null $field
* @return Model|null
*/
public function resolveRouteBinding($value, $field = null)
{
return $this
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}
// /**
// * Retrieve the model for a bound value.
// *
// * @param mixed $value
// * @param null $field
// * @return Model|null
// */
// public function resolveRouteBinding($value, $field = null)
// {
// return $this
// ->where('id', $this->decodePrimaryKey($value))->firstOrFail();
// }
}

4
app/Models/Company.php
View File

@ -584,7 +584,9 @@ class Company extends BaseModel
public function resolveRouteBinding($value, $field = null)
{
return $this->where('id', $this->decodePrimaryKey($value))->firstOrFail();
return $this->where('id', $this->decodePrimaryKey($value))
->where('account_id', auth()->user()->account_id)
->firstOrFail();
}
public function domain()

10
app/Models/CompanyGateway.php
View File

@ -412,12 +412,12 @@ class CompanyGateway extends BaseModel
return route('payment_webhook', ['company_key' => $this->company->company_key, 'company_gateway_id' => $this->hashed_id]);
}
public function resolveRouteBinding($value, $field = null)
{
// public function resolveRouteBinding($value, $field = null)
// {
return $this
->where('id', $this->decodePrimaryKey($value))->withTrashed()->firstOrFail();
}
// return $this
// ->where('id', $this->decodePrimaryKey($value))->withTrashed()->firstOrFail();
// }
}

12
app/Models/GroupSetting.php
View File

@ -65,16 +65,4 @@ class GroupSetting extends StaticModel
return $this->morphMany(Document::class, 'documentable');
}
/**
* Retrieve the model for a bound value.
*
* @param mixed $value
* @param null $field
* @return Model|null
*/
public function resolveRouteBinding($value, $field = null)
{
return $this
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}
}

13
app/Models/Payment.php
View File

@ -292,12 +292,13 @@ class Payment extends BaseModel
return new PaymentService($this);
}
public function resolveRouteBinding($value, $field = null)
{
return $this
->withTrashed()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}
// public function resolveRouteBinding($value, $field = null)
// {
// return $this
// ->withTrashed()
// ->where('id', $this->decodePrimaryKey($value))->firstOrFail();
// }
public function refund(array $data) :self
{

24
app/Models/StaticModel.php
View File

@ -11,10 +11,14 @@
namespace App\Models;
use App\Utils\Traits\MakesHash;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\ModelNotFoundException as ModelNotFoundException;
class StaticModel extends Model
{
use MakesHash;
protected $casts = [
'updated_at' => 'timestamp',
'created_at' => 'timestamp',
@ -37,4 +41,24 @@ class StaticModel extends Model
return $query;
}
/**
* Retrieve the model for a bound value.
*
* @param mixed $value
* @param null $field
* @return Model|null
*/
public function resolveRouteBinding($value, $field = null)
{
if (is_numeric($value)) {
throw new ModelNotFoundException("Record with value {$value} not found");
}
return $this
->withTrashed()
->company()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
}
}

4
app/Models/SystemLog.php
View File

@ -148,7 +148,9 @@ class SystemLog extends Model
}
return $this
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
->where('id', $this->decodePrimaryKey($value))
->company()
->firstOrFail();
}
/*

5
app/Models/User.php
View File

@ -193,7 +193,6 @@ class User extends Authenticatable implements MustVerifyEmail
return $truth->getCompany();
} elseif (request()->header('X-API-TOKEN')) {
$company_token = CompanyToken::with(['company'])->where('token', request()->header('X-API-TOKEN'))->first();
return $company_token->company;
}
@ -441,7 +440,9 @@ class User extends Authenticatable implements MustVerifyEmail
{
return $this
->withTrashed()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
->where('id', $this->decodePrimaryKey($value))
->where('account_id', auth()->user()->account_id)
->firstOrFail();
}
/**

4
app/Models/VendorContact.php
View File

@ -145,7 +145,9 @@ class VendorContact extends Authenticatable implements HasLocalePreference
{
return $this
->withTrashed()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
->company()
->where('id', $this->decodePrimaryKey($value))
->firstOrFail();
}
public function purchase_order_invitations(): \Illuminate\Database\Eloquent\Relations\HasMany

4
app/Providers/RouteServiceProvider.php
View File

@ -13,7 +13,7 @@ namespace App\Providers;
use App\Models\Scheduler;
use App\Utils\Traits\MakesHash;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Illuminate\Database\Eloquent\ModelNotFoundException as ModelNotFoundException;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Route;
@ -30,7 +30,6 @@ class RouteServiceProvider extends ServiceProvider
{
parent::boot();
Route::bind('task_scheduler', function ($value) {
if (is_numeric($value)) {
@ -39,6 +38,7 @@ class RouteServiceProvider extends ServiceProvider
return Scheduler::query()
->withTrashed()
->company()
->where('id', $this->decodePrimaryKey($value))->firstOrFail();
});

93
tests/Feature/ClientApiTest.php
View File

@ -13,8 +13,13 @@ namespace Tests\Feature;
use App\DataMapper\ClientSettings;
use App\Factory\ClientFactory;
use App\Factory\CompanyUserFactory;
use App\Http\Requests\Client\StoreClientRequest;
use App\Models\Account;
use App\Models\Client;
use App\Models\Company;
use App\Models\CompanyToken;
use App\Models\User;
use App\Repositories\ClientContactRepository;
use App\Repositories\ClientRepository;
use App\Utils\Number;
@ -53,6 +58,73 @@ class ClientApiTest extends TestCase
}
public function testCrossCompanyBulkActionsFail()
{
$account = Account::factory()->create([
'hosted_client_count' => 1000,
'hosted_company_count' => 1000,
]);
$account->num_users = 3;
$account->save();
$company = Company::factory()->create([
'account_id' => $account->id,
]);
$user = User::factory()->create([
'account_id' => $account->id,
'confirmation_code' => '123',
'email' => $this->faker->safeEmail(),
]);
$cu = CompanyUserFactory::create($user->id, $company->id, $account->id);
$cu->is_owner = true;
$cu->is_admin = true;
$cu->is_locked = true;
$cu->permissions = '["view_client"]';
$cu->save();
$different_company_token = \Illuminate\Support\Str::random(64);
$company_token = new CompanyToken;
$company_token->user_id = $user->id;
$company_token->company_id = $company->id;
$company_token->account_id = $account->id;
$company_token->name = 'test token';
$company_token->token = $different_company_token;
$company_token->is_system = true;
$company_token->save();
$data = [
'action' => 'archive',
'ids' => [
$this->client->id
]
];
$response = $this->withHeaders([
'X-API-TOKEN' => $this->token,
])->post('/api/v1/clients/bulk', $data)
->assertStatus(302);
//using existing permissions, they must pass the ->edit guard()
$this->client->fresh();
$this->assertNull($this->client->deleted_at);
$rules = [
'ids' => 'required|bail|array|exists:clients,id,company_id,'.$company->id,
'action' => 'in:archive,restore,delete'
];
$v = $this->app['validator']->make($data, $rules);
$this->assertFalse($v->passes());
}
public function testClientBulkActionValidation()
{
$data = [
@ -737,17 +809,24 @@ class ClientApiTest extends TestCase
public function testClientArchived()
{
$data = [
'ids' => [$this->encodePrimaryKey($this->client->id)],
'ids' => [$this->client->hashed_id],
];
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->token,
])->post('/api/v1/clients/bulk?action=archive', $data);
$response = false;
$arr = $response->json();
try{
$response = $this->withHeaders([
'X-API-TOKEN' => $this->token,
])->post('/api/v1/clients/bulk?action=archive', $data);
} catch (ValidationException $e) {
$message = json_decode($e->validator->getMessageBag(), 1);
nlog($message);
}
$this->assertNotNull($arr['data'][0]['archived_at']);
if($response){
$arr = $response->json();
$this->assertNotNull($arr['data'][0]['archived_at']);
}
}
public function testClientRestored()

2
tests/Integration/EventTest.php
View File

@ -639,7 +639,6 @@ class EventTest extends TestCase
])->postJson('/api/v1/clients/', $data)
->assertStatus(200);
$arr = $response->json();
$data = [
@ -653,7 +652,6 @@ class EventTest extends TestCase
])->putJson('/api/v1/clients/' . $arr['data']['id'], $data)
->assertStatus(200);
$data = [
'ids' => [$arr['data']['id']],
];

7
tests/MockAccountData.php
View File

@ -57,6 +57,7 @@ use App\Models\Vendor;
use App\Models\VendorContact;
use App\Utils\Traits\GeneratesCounter;
use App\Utils\Traits\MakesHash;
use App\Utils\TruthSource;
use Illuminate\Foundation\Testing\WithoutEvents;
use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Cache;
@ -276,6 +277,7 @@ trait MockAccountData
$this->user = $user;
// auth()->login($user);
// auth()->user()->setCompany($this->company);
CreateCompanyTaskStatuses::dispatchSync($this->company, $this->user);
@ -297,6 +299,11 @@ trait MockAccountData
$company_token->save();
$truth = app()->make(TruthSource::class);
$truth->setCompanyUser($company_token->first());
$truth->setUser($this->user);
$truth->setCompany($this->company);
//todo create one token with token name TOKEN - use firstOrCreate
Product::factory()->create([