shihaam/akaunting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

don't show api company if not assigned

Browse Source
This commit is contained in:
denisdulici 2017-10-12 16:28:48 +03:00
parent 819a8e47cc
commit 7278e9a061
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app/Http/Controllers/Api/Companies/Companies.php
View File

@ -36,6 +36,12 @@ class Companies extends ApiController
*/
public function show(Company $company)
{
// Check if user can access company
$companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
if (!in_array($company->id, $companies)) {
$this->response->errorUnauthorized();
}
$company->setSettings();
return $this->response->item($company, new Transformer());
@ -82,7 +88,7 @@ class Companies extends ApiController
// Check if user can access company
$companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
if (!in_array($company->id, $companies)) {
return $this->response->noContent();
$this->response->errorUnauthorized();
}
// Update company
@ -116,11 +122,12 @@ class Companies extends ApiController
{
// Check if user can access company
$companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
if (in_array($company->id, $companies)) {
$company->delete();
if (!in_array($company->id, $companies)) {
$this->response->errorUnauthorized();
}
$company->delete();
return $this->response->noContent();
}
}