Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-07-09 03:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Restrict admin viewing of invoices to invoices in the same account

Browse Source
This commit is contained in:
Joshua Dwire 2016-03-07 20:25:43 -05:00
parent 82fadab632
commit 879e88dcc3
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Http/Middleware/Authenticate.php
View File

@ -32,15 +32,16 @@ class Authenticate {
} }
if($guard=='client'){ if($guard=='client'){
$invitation_key = session('invitation_key');
$account_id = $this->getInvitationAccountId($invitation_key);
if(Auth::guard('user')->check()){ if(Auth::guard('user')->check() && Auth::user('user')->account_id === $account_id){
// This is an admin; let them pretend to be a client // This is an admin; let them pretend to be a client
$authenticated = true; $authenticated = true;
} }
// Does this account require portal passwords? // Does this account require portal passwords?
$invitation_key = session('invitation_key'); $account = Account::whereId($account_id)->first();
$account = Account::whereId($this->getInvitationAccountId($invitation_key))->first();
if(!$account->enable_portal_password || !$account->isPro()){ if(!$account->enable_portal_password || !$account->isPro()){
$authenticated = true; $authenticated = true;
} }