From cef35a98e189ffa53d9e7288e3ce9c4cb05bb472 Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Mon, 18 Jul 2016 21:12:18 +0300
Subject: [PATCH] Prevent creating payment for a quote through the API

---
 app/Http/Requests/CreatePaymentAPIRequest.php | 10 ++++++----
 app/Http/Requests/CreatePaymentRequest.php    |  4 +++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/app/Http/Requests/CreatePaymentAPIRequest.php b/app/Http/Requests/CreatePaymentAPIRequest.php
index 2643800d0d03..d00fbb44573b 100644
--- a/app/Http/Requests/CreatePaymentAPIRequest.php
+++ b/app/Http/Requests/CreatePaymentAPIRequest.php
@@ -27,14 +27,16 @@ class CreatePaymentAPIRequest extends PaymentRequest
                 'amount' => 'required',
             ];
         }
-        
-        $invoice = Invoice::scope($this->invoice_id)->firstOrFail();
+
+        $invoice = Invoice::scope($this->invoice_id)
+            ->invoices()
+            ->firstOrFail();
 
         $this->merge([
-            'invoice_id' => $invoice->id, 
+            'invoice_id' => $invoice->id,
             'client_id' => $invoice->client->id,
         ]);
-            
+
         $rules = [
             'amount' => "required|less_than:{$invoice->balance}|positive",
         ];
diff --git a/app/Http/Requests/CreatePaymentRequest.php b/app/Http/Requests/CreatePaymentRequest.php
index ae1ed9f74eff..8fff4aec8ba2 100644
--- a/app/Http/Requests/CreatePaymentRequest.php
+++ b/app/Http/Requests/CreatePaymentRequest.php
@@ -22,7 +22,9 @@ class CreatePaymentRequest extends PaymentRequest
     public function rules()
     {
         $input = $this->input();
-        $invoice = Invoice::scope($input['invoice'])->firstOrFail();
+        $invoice = Invoice::scope($input['invoice'])
+            ->invoices()
+            ->firstOrFail();
 
         $rules = [
             'client' => 'required', // TODO: change to client_id once views are updated