From 879e88dcc31f4d521d712581ef3ca2818c8cdc5e Mon Sep 17 00:00:00 2001
From: Joshua Dwire <joshua@joshuadwire.com>
Date: Mon, 7 Mar 2016 20:25:43 -0500
Subject: [PATCH] Restrict admin viewing of invoices to invoices in the same
 account

---
 app/Http/Middleware/Authenticate.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/Http/Middleware/Authenticate.php b/app/Http/Middleware/Authenticate.php
index 08097d6a9b80..9d5d8549442f 100644
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@@ -32,15 +32,16 @@ class Authenticate {
 		}
 		
 		if($guard=='client'){
+			$invitation_key = session('invitation_key');
+			$account_id = $this->getInvitationAccountId($invitation_key);
 			
-			if(Auth::guard('user')->check()){
+			if(Auth::guard('user')->check() && Auth::user('user')->account_id === $account_id){
 				// This is an admin; let them pretend to be a client
 				$authenticated = true;
 			}
 			
 			// Does this account require portal passwords?
-			$invitation_key = session('invitation_key');
-			$account = Account::whereId($this->getInvitationAccountId($invitation_key))->first();
+			$account = Account::whereId($account_id)->first();
 			if(!$account->enable_portal_password || !$account->isPro()){
 				$authenticated = true;
 			}