don't show api company if not assigned

2017-10-12 16:28:48 +03:00 · 2017-10-12 16:28:48 +03:00 · 7278e9a061
commit 7278e9a061
parent 819a8e47cc
1 changed files with 11 additions and 4 deletions
--- a/app/Http/Controllers/Api/Companies/Companies.php
+++ b/app/Http/Controllers/Api/Companies/Companies.php
@ -36,6 +36,12 @@ class Companies extends ApiController
     */
    public function show(Company $company)
    {
        // Check if user can access company
        $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
        if (!in_array($company->id, $companies)) {
            $this->response->errorUnauthorized();
        }
        $company->setSettings();
        return $this->response->item($company, new Transformer());
@ -82,7 +88,7 @@ class Companies extends ApiController
        // Check if user can access company
        $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
        if (!in_array($company->id, $companies)) {
-            return $this->response->noContent();
+            $this->response->errorUnauthorized();
        }
        // Update company
@ -116,11 +122,12 @@ class Companies extends ApiController
    {
        // Check if user can access company
        $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
-
+        if (!in_array($company->id, $companies)) {
-        if (in_array($company->id, $companies)) {
+            $this->response->errorUnauthorized();
            $company->delete();
        }
        $company->delete();
        return $this->response->noContent();
    }
 }