diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php index e741f1466da2..5033780abbc6 100644 --- a/app/Http/Controllers/BaseController.php +++ b/app/Http/Controllers/BaseController.php @@ -270,7 +270,7 @@ class BaseController extends Controller $query->with($includes); - if (!auth()->user()->hasPermission('view_'.lcfirst(class_basename($this->entity_type)))) { + if (auth()->user() && !auth()->user()->hasPermission('view_'.lcfirst(class_basename($this->entity_type)))) { $query->where('user_id', '=', auth()->user()->id); } diff --git a/app/Http/Controllers/Shop/ClientController.php b/app/Http/Controllers/Shop/ClientController.php index 2fec7c5d2fa0..7219e857e77f 100644 --- a/app/Http/Controllers/Shop/ClientController.php +++ b/app/Http/Controllers/Shop/ClientController.php @@ -50,10 +50,10 @@ class ClientController extends BaseController public function show(string $contact_key) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); $contact = ClientContact::with('client') - ->where('company_id', $company_token->company->id) + ->where('company_id', $company->id) ->where('contact_key', $contact_key) ->firstOrFail(); @@ -62,15 +62,19 @@ class ClientController extends BaseController public function store(StoreClientRequest $request) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); - $client = $this->client_repo->save($request->all(), ClientFactory::create($company_token->company_id, $company_token->user_id)); + app('queue')->createPayloadUsing(function () use ($company) { + return ['db' => $company->db]; + }); + + $client = $this->client_repo->save($request->all(), ClientFactory::create($company->id, $company->owner()->id)); $client->load('contacts', 'primary_contact'); - $this->uploadLogo($request->file('company_logo'), $client->company, $client); + $this->uploadLogo($request->file('company_logo'), $company, $client); - event(new ClientWasCreated($client, $client->company, Ninja::eventVars())); + event(new ClientWasCreated($client, $company, Ninja::eventVars())); return $this->itemResponse($client); } diff --git a/app/Http/Controllers/Shop/InvoiceController.php b/app/Http/Controllers/Shop/InvoiceController.php index 97b5a3e25e51..198613dc516e 100644 --- a/app/Http/Controllers/Shop/InvoiceController.php +++ b/app/Http/Controllers/Shop/InvoiceController.php @@ -52,10 +52,10 @@ class InvoiceController extends BaseController public function show(string $invitation_key) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); $invitation = InvoiceInvitation::with(['invoice']) - ->where('company_id', $company_token->company->id) + ->where('company_id', $company->id) ->where('key',$invitation_key) ->firstOrFail(); @@ -65,13 +65,17 @@ class InvoiceController extends BaseController public function store(StoreInvoiceRequest $request) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + app('queue')->createPayloadUsing(function () use ($company) { + return ['db' => $company->db]; + }); + + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); $client = Client::find($request->input('client_id')); - $invoice = $this->invoice_repo->save($request->all(), InvoiceFactory::create($company_token->company_id, $company_token->user_id)); + $invoice = $this->invoice_repo->save($request->all(), InvoiceFactory::create($company_id, $company->owner()->id)); - event(new InvoiceWasCreated($invoice, $invoice->company, Ninja::eventVars())); + event(new InvoiceWasCreated($invoice, $company, Ninja::eventVars())); $invoice = $invoice->service()->triggeredActions($request)->save(); diff --git a/app/Http/Controllers/Shop/ProductController.php b/app/Http/Controllers/Shop/ProductController.php index c68131d51451..5122ba1918c4 100644 --- a/app/Http/Controllers/Shop/ProductController.php +++ b/app/Http/Controllers/Shop/ProductController.php @@ -12,6 +12,7 @@ namespace App\Http\Controllers\Shop; use App\Http\Controllers\BaseController; +use App\Models\Company; use App\Models\CompanyToken; use App\Models\Product; use App\Transformers\ProductTransformer; @@ -31,20 +32,20 @@ class ProductController extends BaseController * * @return \Illuminate\Http\Response */ - public function index() + public function index(Request $request) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); - $products = Product::where('company_id', $company_token->company->id); + $products = Product::where('company_id', $company->id); return $this->listResponse($products); } - public function show(string $product_key) + public function show(Request $request, string $product_key) { - $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first(); + $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first(); - $product = Product::where('company_id', $company_token->company->id) + $product = Product::where('company_id', $company->id) ->where('product_key', $product_key) ->first(); diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 9ec5e5972e5e..ca3680122a97 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -111,9 +111,10 @@ class Kernel extends HttpKernel 'url_db' => \App\Http\Middleware\UrlSetDb::class, 'web_db' => \App\Http\Middleware\SetWebDb::class, 'api_db' => \App\Http\Middleware\SetDb::class, + 'company_key_db' => \App\Http\Middleware\SetDbByCompanyKey::class, 'locale' => \App\Http\Middleware\Locale::class, 'contact.register' => \App\Http\Middleware\ContactRegister::class, - 'shop_token_auth' => \App\Http\Middleware\ShopTokenAuth::class, + 'shop_token_auth' => \App\Http\Middleware\Shop\ShopTokenAuth::class, ]; } diff --git a/app/Http/Middleware/SetDbByCompanyKey.php b/app/Http/Middleware/SetDbByCompanyKey.php new file mode 100644 index 000000000000..74c995127244 --- /dev/null +++ b/app/Http/Middleware/SetDbByCompanyKey.php @@ -0,0 +1,48 @@ + 'Invalid Token', + 'errors' => [] + ]; + + + if ($request->header('X-API-COMPANY_KEY') && config('ninja.db.multi_db_enabled')) { + if (! MultiDB::findAndSetDbByCompanyKey($request->header('X-API-COMPANY_KEY'))) { + return response()->json($error, 403); + } + } elseif (!config('ninja.db.multi_db_enabled')) { + return $next($request); + } else { + return response()->json($error, 403); + } + + return $next($request); + } +} diff --git a/app/Http/Middleware/Shop/ShopTokenAuth.php b/app/Http/Middleware/Shop/ShopTokenAuth.php deleted file mode 100644 index 2af0eb0df4de..000000000000 --- a/app/Http/Middleware/Shop/ShopTokenAuth.php +++ /dev/null @@ -1,78 +0,0 @@ -header('X-API-TOKEN') && ($company_token = CompanyToken::with(['user','company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first())) { - - /* Check if this is a restricted token*/ - if(!$company_token->shop_restricted){ - - $error = [ - 'message' => 'Cannot use a unrestricted token on this route', - 'errors' => [] - ]; - - - return response()->json($error, 403); - - } - - $user = $company_token->user; - - $error = [ - 'message' => 'User inactive', - 'errors' => [] - ]; - - //user who once existed, but has been soft deleted - if (!$user) { - return response()->json($error, 403); - } - - /* - | - | Necessary evil here: As we are authenticating on CompanyToken, - | we need to link the company to the user manually. This allows - | us to decouple a $user and their attached companies completely. - | - */ - $user->setCompany($company_token->company); - - config(['ninja.company_id' => $company_token->company->id]); - - app('queue')->createPayloadUsing(function () use ($company_token) { - return ['db' => $company_token->company->db]; - }); - - } - - return $next($request); - } -} diff --git a/app/Http/Middleware/TokenAuth.php b/app/Http/Middleware/TokenAuth.php index 9b4ebda3e4fd..088e51cd43f2 100644 --- a/app/Http/Middleware/TokenAuth.php +++ b/app/Http/Middleware/TokenAuth.php @@ -30,19 +30,6 @@ class TokenAuth { if ($request->header('X-API-TOKEN') && ($company_token = CompanyToken::with(['user','company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first())) { - if($company_token->shop_restricted){ - - $error = [ - 'message' => 'Cannot use a restricted token on this route', - 'errors' => [] - ]; - - - return response()->json($error, 403); - - } - - $user = $company_token->user; $error = [ diff --git a/app/Libraries/MultiDB.php b/app/Libraries/MultiDB.php index 457eee507023..d15196a40bce 100644 --- a/app/Libraries/MultiDB.php +++ b/app/Libraries/MultiDB.php @@ -180,6 +180,17 @@ class MultiDB return false; } + public static function findAndSetDbByCompanyKey($company_key) :bool + { + foreach (self::$dbs as $db) { + if ($company = Company::on($db)->where('company_key', $company_key)->first()) { + self::setDb($company->db); + return true; + } + } + return false; + } + public static function findAndSetDbByDomain($subdomain) :bool { foreach (self::$dbs as $db) { diff --git a/database/migrations/2020_07_28_104218_shop_token.php b/database/migrations/2020_07_28_104218_shop_token.php index 49dadf527b80..7996ffa0a8b9 100644 --- a/database/migrations/2020_07_28_104218_shop_token.php +++ b/database/migrations/2020_07_28_104218_shop_token.php @@ -13,8 +13,8 @@ class ShopToken extends Migration */ public function up() { - Schema::table('company_user', function (Blueprint $table) { - $table->boolean('shop_restricted')->default(false); + Schema::table('companies', function (Blueprint $table) { + $table->boolean('enable_shop_api')->default(false); }); } diff --git a/routes/shop.php b/routes/shop.php index 783a503a46de..aee2d2f75669 100644 --- a/routes/shop.php +++ b/routes/shop.php @@ -2,13 +2,13 @@ use Illuminate\Support\Facades\Route; -Route::group(['middleware' => ['api_db','shop_token_auth','locale']], function () { +Route::group(['middleware' => ['company_key_db','locale'], 'prefix' => 'api/v1'], function () { - Route::get('products', 'Shop\ProductController@index'); - Route::get('clients', 'Shop\ClientController@index'); - Route::get('invoices', 'Shop\InvoiceController@index'); - Route::get('client/{contact_key}', 'Shop\ClientController@show'); - Route::get('invoice/{invitation_key}', 'Shop\InvoiceController@show'); - Route::get('product/{product_key}', 'Shop\ProductController@show'); + Route::get('shop/products', 'Shop\ProductController@index'); + Route::get('shop/clients', 'Shop\ClientController@index'); + Route::get('shop/invoices', 'Shop\InvoiceController@index'); + Route::get('shop/client/{contact_key}', 'Shop\ClientController@show'); + Route::get('shop/invoice/{invitation_key}', 'Shop\InvoiceController@show'); + Route::get('shop/product/{product_key}', 'Shop\ProductController@show'); }); \ No newline at end of file