From e9c3cd8c82da41d18d452793305e81cefdd8ffa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Duli=C3=A7i?= <denisdulici@gmail.com>
Date: Mon, 7 Sep 2020 11:25:34 +0300
Subject: [PATCH 1/2] fixed signed routes

---
 app/Http/Requests/Portal/InvoiceShow.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/Http/Requests/Portal/InvoiceShow.php b/app/Http/Requests/Portal/InvoiceShow.php
index 063821d83..73c528181 100644
--- a/app/Http/Requests/Portal/InvoiceShow.php
+++ b/app/Http/Requests/Portal/InvoiceShow.php
@@ -13,6 +13,10 @@ class InvoiceShow extends FormRequest
      */
     public function authorize()
     {
+        if (auth()->guest()) {
+            return true;
+        }
+
         return $this->invoice->contact_id == user()->contact->id;
     }
 

From e038843601d28c12f1eb7c6686134a7e37519246 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Duli=C3=A7i?= <denisdulici@gmail.com>
Date: Mon, 7 Sep 2020 12:25:55 +0300
Subject: [PATCH 2/2] allow custom permission for settings

---
 app/Http/Controllers/Settings/Settings.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Settings/Settings.php b/app/Http/Controllers/Settings/Settings.php
index 6f16c45e9..75b4e6c5e 100644
--- a/app/Http/Controllers/Settings/Settings.php
+++ b/app/Http/Controllers/Settings/Settings.php
@@ -54,7 +54,9 @@ class Settings extends Controller
         $settings = [];
 
         foreach ($modules->settings as $alias => $setting) {
-            if (!user()->can('read-' . $alias . '-settings')) {
+            $permission = !empty($setting['permission']) ? $setting['permission'] : 'read-' . $alias . '-settings';
+
+            if (!user()->can($permission)) {
                 continue;
             }