Sultan
/
invoiceninja
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cross account checks

This commit is contained in:
David Bomba 2024-10-19 13:43:22 +11:00
parent 4e86981074
commit e3729525db
3 changed files with 53 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/Repositories/UserRepository.php
View File

@ -72,6 +72,11 @@ class UserRepository extends BaseRepository
$user->confirmation_code = $this->createDbHash($company->db); $user->confirmation_code = $this->createDbHash($company->db);
} }
//@18-10-2024 - ensure no cross account linkage.
if(is_numeric($user->account_id) && $user->account_id != $account->id){
throw new \Illuminate\Auth\Access\AuthorizationException("Illegal operation encountered for {$user->hashed_id}",401);
}
$user->account_id = $account->id;//@todo we should never change the account_id if it is set at this point. $user->account_id = $account->id;//@todo we should never change the account_id if it is set at this point.
if (strlen($user->password) >= 1) { if (strlen($user->password) >= 1) {

2
app/Services/EDocument/Imports/ZugferdEDocument.php
View File

@ -150,7 +150,7 @@ class ZugferdEDocument extends AbstractService
} else { } else {
// The document exists as an expense // The document exists as an expense
// Handle accordingly // Handle accordingly
nlog("Zugferd: Document already exists"); nlog("Zugferd: Document already exists {$expense->hashed_id}");
$expense->private_notes = $expense->private_notes . ctrans("texts.edocument_import_already_exists", ["date" => time()]); $expense->private_notes = $expense->private_notes . ctrans("texts.edocument_import_already_exists", ["date" => time()]);
} }

58
tests/Feature/UserTest.php
View File

@ -19,6 +19,7 @@ use App\Models\Company;
use App\Models\CompanyToken; use App\Models\CompanyToken;
use App\Models\CompanyUser; use App\Models\CompanyUser;
use App\Models\User; use App\Models\User;
use App\Repositories\UserRepository;
use Illuminate\Database\Eloquent\Model; use Illuminate\Database\Eloquent\Model;
use Illuminate\Foundation\Testing\DatabaseTransactions; use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Routing\Middleware\ThrottleRequests; use Illuminate\Routing\Middleware\ThrottleRequests;
@ -44,20 +45,17 @@ class UserTest extends TestCase
{ {
parent::setUp(); parent::setUp();
// Session::start();
$this->faker = \Faker\Factory::create(); $this->faker = \Faker\Factory::create();
$this->makeTestData();
// Model::reguard();
// $this->withoutExceptionHandling();
$this->withoutMiddleware( $this->withoutMiddleware(
ThrottleRequests::class, ThrottleRequests::class,
PasswordProtection::class PasswordProtection::class
); );
$this->makeTestData();
// $this->withoutExceptionHandling();
} }
private function mockAccount() private function mockAccount()
@ -72,7 +70,7 @@ class UserTest extends TestCase
$account->save(); $account->save();
$user = User::factory()->create([ $user = User::factory()->create([
'account_id' => $this->account->id, 'account_id' => $account->id,
'confirmation_code' => 'xyz123', 'confirmation_code' => 'xyz123',
'email' => $this->faker->unique()->safeEmail(), 'email' => $this->faker->unique()->safeEmail(),
'password' => \Illuminate\Support\Facades\Hash::make('ALongAndBriliantPassword'), 'password' => \Illuminate\Support\Facades\Hash::make('ALongAndBriliantPassword'),
@ -87,7 +85,6 @@ class UserTest extends TestCase
'settings' => $settings, 'settings' => $settings,
]); ]);
$cu = CompanyUserFactory::create($user->id, $company->id, $account->id); $cu = CompanyUserFactory::create($user->id, $company->id, $account->id);
$cu->is_owner = true; $cu->is_owner = true;
$cu->is_admin = true; $cu->is_admin = true;
@ -109,9 +106,48 @@ class UserTest extends TestCase
} }
// public function testCrossAccountFunctionality()
// {
// $ct = $this->mockAccount();
// $u= $ct->user;
// auth()->login($u, true);
// $account = Account::factory()->create([
// 'hosted_client_count' => 1000,
// 'hosted_company_count' => 1000,
// ]);
// $account->num_users = 3;
// $account->save();
// $user = User::factory()->create([
// 'account_id' => $this->account->id,
// 'confirmation_code' => 'xyz123',
// 'email' => $this->faker->unique()->safeEmail(),
// 'password' => \Illuminate\Support\Facades\Hash::make('ALongAndBriliantPassword'),
// ]);
// $user_repo = new UserRepository();
// // try{
// $x = $user_repo->save(['first_name' => 'bobby'], $user);
// // }
// // catch(\Exception $e){
// // $this->assertEquals(401, $e->getCode());
// // }
// nlog($x);
// }
public function testValidEmailUpdate() public function testValidEmailUpdate()
{ {
$company_token = $this->mockAccount(); $company_token = $this->mockAccount();
$user = $company_token->user; $user = $company_token->user;
$user->load('company_user'); $user->load('company_user');