diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php index 73903e1a83..bbd2c7b8d0 100644 --- a/app/Http/Controllers/BaseController.php +++ b/app/Http/Controllers/BaseController.php @@ -219,6 +219,12 @@ class BaseController extends Controller return response()->make($error, $httpErrorCode, $headers); } + /** + * Refresh API response with latest cahnges + * @param Builer $query + * @property App\Models\User auth()->user() + * @return Builer + */ protected function refreshResponse($query) { $user = auth()->user(); @@ -443,9 +449,14 @@ class BaseController extends Controller 'company.bank_integrations'=> function ($query) use ($updated_at, $user) { $query->whereNotNull('updated_at'); - if (! $user->isAdmin()) { + if (! $user->hasPermission('view_bank_transaction')) { $query->where('bank_integrations.user_id', $user->id); } + + if(!$user->isAdmin() && !$user->isOwner() && $user->can('create', BankTransaction::class)) { + $query->exclude(["balance"]); + } + }, 'company.bank_transactions'=> function ($query) use ($updated_at, $user) { $query->where('updated_at', '>=', $updated_at); @@ -538,9 +549,14 @@ class BaseController extends Controller }, 'company.bank_integrations'=> function ($query) use ($created_at, $user) { - if (! $user->isAdmin()) { + if (! $user->hasPermission('view_bank_transaction')) { $query->where('bank_integrations.user_id', $user->id); } + + if(!$user->isAdmin() && !$user->isOwner() && $user->can('create', BankTransaction::class)) { + $query->exclude(["balance"]); + } + }, 'company.bank_transaction_rules'=> function ($query) use ($user) { @@ -789,9 +805,14 @@ class BaseController extends Controller 'company.bank_integrations'=> function ($query) use ($created_at, $user) { $query->where('created_at', '>=', $created_at); - if (! $user->isAdmin()) { + if (! $user->hasPermission('view_bank_transaction')) { $query->where('bank_integrations.user_id', $user->id); } + + if(!$user->isAdmin() && !$user->isOwner() && $user->can('create', BankTransaction::class)) { + $query->exclude(["balance"]); + } + }, 'company.bank_transactions'=> function ($query) use ($created_at, $user) { $query->where('created_at', '>=', $created_at); @@ -867,7 +888,10 @@ class BaseController extends Controller $query->where('id', auth()->user()->id); } elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id - $query->where('user_id', '=', auth()->user()->id); + if($this->entity_type == BankIntegration::class && !auth()->user()->isAdmin() && !auth()->user()->isOwner() && auth()->user()->can('create', BankTransaction::class)) + $query->exclude(["balance"]); + else + $query->where('user_id', '=', auth()->user()->id); } elseif(in_array($this->entity_type,[Design::class, GroupSetting::class, PaymentTerm::class])){ // nlog($this->entity_type); diff --git a/app/Http/Requests/Token/UpdateTokenRequest.php b/app/Http/Requests/Token/UpdateTokenRequest.php index 087bd1fb60..a10a5a592a 100644 --- a/app/Http/Requests/Token/UpdateTokenRequest.php +++ b/app/Http/Requests/Token/UpdateTokenRequest.php @@ -27,4 +27,12 @@ class UpdateTokenRequest extends Request { return auth()->user()->isAdmin(); } + + public function rules() + { + return [ + 'name' => 'required', + ]; + } + } diff --git a/app/Models/BankIntegration.php b/app/Models/BankIntegration.php index 042d134ce1..23d13fe1d8 100644 --- a/app/Models/BankIntegration.php +++ b/app/Models/BankIntegration.php @@ -12,13 +12,15 @@ namespace App\Models; use App\Models\Filterable; +use App\Models\Traits\Excludable; use Illuminate\Database\Eloquent\SoftDeletes; class BankIntegration extends BaseModel { use SoftDeletes; use Filterable; - + use Excludable; + protected $fillable = [ 'bank_account_name', 'provider_name', diff --git a/app/Models/User.php b/app/Models/User.php index 7ece8fd655..d10104914f 100644 --- a/app/Models/User.php +++ b/app/Models/User.php @@ -386,18 +386,18 @@ class User extends Authenticatable implements MustVerifyEmail * @param string $permission '["view_all"]' * @return boolean */ - public function hasExactPermission(string $permission = ''): bool + public function hasExactPermission(string $permission = '___'): bool { $parts = explode('_', $permission); - $all_permission = ''; + $all_permission = '__'; if (count($parts) > 1) { $all_permission = $parts[0].'_all'; } - return (is_int(stripos($this->token()->cu->permissions, $all_permission))) || - (is_int(stripos($this->token()->cu->permissions, $permission))); + return (stripos($this->token()->cu->permissions, $all_permission) !== false) || + (stripos($this->token()->cu->permissions, $permission) !== false); } diff --git a/app/Policies/BankTransactionPolicy.php b/app/Policies/BankTransactionPolicy.php index 9819e0768b..b58390df84 100644 --- a/app/Policies/BankTransactionPolicy.php +++ b/app/Policies/BankTransactionPolicy.php @@ -26,6 +26,6 @@ class BankTransactionPolicy extends EntityPolicy */ public function create(User $user) : bool { - return $user->isAdmin() || $user->hasPermission('create_invoice') || $user->hasPermission('create_all'); + return $user->isAdmin() || $user->hasPermission('create_bank_transaction') || $user->hasPermission('create_all'); } }