From 6ec6ae8756eb03e46ac1a844f288f1cd00f0d05a Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Thu, 17 Feb 2022 23:07:16 +1100
Subject: [PATCH] Minor fixes for quote permissions

---
 app/Http/Requests/ClientPortal/Credits/ShowCreditRequest.php   | 3 ++-
 .../Requests/ClientPortal/Documents/ShowDocumentRequest.php    | 3 ++-
 app/Http/Requests/ClientPortal/Invoices/ShowInvoiceRequest.php | 2 +-
 app/Http/Requests/ClientPortal/Quotes/ShowQuoteRequest.php     | 2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/Http/Requests/ClientPortal/Credits/ShowCreditRequest.php b/app/Http/Requests/ClientPortal/Credits/ShowCreditRequest.php
index 432e22feda32..c01afe8cf7ab 100644
--- a/app/Http/Requests/ClientPortal/Credits/ShowCreditRequest.php
+++ b/app/Http/Requests/ClientPortal/Credits/ShowCreditRequest.php
@@ -15,7 +15,8 @@ class ShowCreditRequest extends FormRequest
     public function authorize()
     {
         return !$this->credit->is_deleted
-            && auth()->guard('contact')->user()->company->enabled_modules & PortalComposer::MODULE_CREDITS;
+            && auth()->guard('contact')->user()->company->enabled_modules & PortalComposer::MODULE_CREDITS
+            && auth()->guard('contact')->user()->client_id === $this->credit->client_id;
     }
 
     /**
diff --git a/app/Http/Requests/ClientPortal/Documents/ShowDocumentRequest.php b/app/Http/Requests/ClientPortal/Documents/ShowDocumentRequest.php
index 97ce78a408b0..3094b78b99a6 100644
--- a/app/Http/Requests/ClientPortal/Documents/ShowDocumentRequest.php
+++ b/app/Http/Requests/ClientPortal/Documents/ShowDocumentRequest.php
@@ -27,9 +27,10 @@ class ShowDocumentRequest extends FormRequest
      */
     public function authorize()
     {
+
         return auth()->guard('contact')->user()->client_id == $this->document->documentable_id
-            || $this->document->documentable->client_id == auth()->guard('contact')->user()->client_id
             || $this->document->company_id == auth()->guard('contact')->user()->company_id;
+
     }
 
     /**
diff --git a/app/Http/Requests/ClientPortal/Invoices/ShowInvoiceRequest.php b/app/Http/Requests/ClientPortal/Invoices/ShowInvoiceRequest.php
index 1795dab2f67e..71a9aa568cfb 100644
--- a/app/Http/Requests/ClientPortal/Invoices/ShowInvoiceRequest.php
+++ b/app/Http/Requests/ClientPortal/Invoices/ShowInvoiceRequest.php
@@ -23,7 +23,7 @@ class ShowInvoiceRequest extends Request
      */
     public function authorize() : bool
     {
-        return auth()->guard('contact')->user()->client_id == $this->invoice->client_id
+        return auth()->guard('contact')->user()->client_id === $this->invoice->client_id
             &&  auth()->guard('contact')->user()->company->enabled_modules & PortalComposer::MODULE_INVOICES;
     }
 }
diff --git a/app/Http/Requests/ClientPortal/Quotes/ShowQuoteRequest.php b/app/Http/Requests/ClientPortal/Quotes/ShowQuoteRequest.php
index 4c6b819cd5e6..124bb97a4b0d 100644
--- a/app/Http/Requests/ClientPortal/Quotes/ShowQuoteRequest.php
+++ b/app/Http/Requests/ClientPortal/Quotes/ShowQuoteRequest.php
@@ -19,7 +19,7 @@ class ShowQuoteRequest extends FormRequest
 {
     public function authorize()
     {
-         return auth()->user()->client->id === $this->quote->client_id
+         return auth()->guard('contact')->user()->client->id === $this->quote->client_id
              && auth()->guard('contact')->user()->company->enabled_modules & PortalComposer::MODULE_QUOTES;
     }