Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-06-01 10:04:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

Prevent deleted invitations from accessing entity

Browse Source
This commit is contained in:
David Bomba 2023-03-09 14:40:16 +11:00
parent 043cc121b2
commit a18e55e1d1
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Http/Controllers/ClientPortal/InvitationController.php
View File

@ -85,7 +85,8 @@ class InvitationController extends Controller
->with('contact.client') ->with('contact.client')
->firstOrFail(); ->firstOrFail();
if ($invitation->{$entity}->is_deleted) { //09-03-2023 do not show entity if the invitation has been trashed.
if ($invitation->trashed() || $invitation->{$entity}->is_deleted) {
return $this->render('generic.not_available', ['account' => $invitation->company->account, 'company' => $invitation->company]); return $this->render('generic.not_available', ['account' => $invitation->company->account, 'company' => $invitation->company]);
} }

2
phpstan.neon
View File

@ -2,4 +2,4 @@ parameters:
level: 2 level: 2
paths: paths:
- app - app
- tests # - tests

2
routes/api.php
View File

@ -364,7 +364,7 @@ Route::match(['get', 'post'], 'payment_notification_webhook/{company_key}/{compa
->name('payment_notification_webhook'); ->name('payment_notification_webhook');
Route::post('api/v1/postmark_webhook', [PostMarkController::class, 'webhook'])->middleware('throttle:1000,1'); Route::post('api/v1/postmark_webhook', [PostMarkController::class, 'webhook'])->middleware('throttle:1000,1');
Route::get('token_hash_router', [OneTimeTokenController::class, 'router'])->middleware('throttle:100,1'); Route::get('token_hash_router', [OneTimeTokenController::class, 'router'])->middleware('throttle:500,1');
Route::get('webcron', [WebCronController::class, 'index'])->middleware('throttle:100,1'); Route::get('webcron', [WebCronController::class, 'index'])->middleware('throttle:100,1');
Route::post('api/v1/get_migration_account', [HostedMigrationController::class, 'getAccount'])->middleware('guest')->middleware('throttle:100,1'); Route::post('api/v1/get_migration_account', [HostedMigrationController::class, 'getAccount'])->middleware('guest')->middleware('throttle:100,1');
Route::post('api/v1/confirm_forwarding', [HostedMigrationController::class, 'confirmForwarding'])->middleware('guest')->middleware('throttle:100,1'); Route::post('api/v1/confirm_forwarding', [HostedMigrationController::class, 'confirmForwarding'])->middleware('guest')->middleware('throttle:100,1');