mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2024-09-20 08:21:34 +02:00
Restrict admin viewing of invoices to invoices in the same account
This commit is contained in:
parent
82fadab632
commit
879e88dcc3
@ -32,15 +32,16 @@ class Authenticate {
|
||||
}
|
||||
|
||||
if($guard=='client'){
|
||||
$invitation_key = session('invitation_key');
|
||||
$account_id = $this->getInvitationAccountId($invitation_key);
|
||||
|
||||
if(Auth::guard('user')->check()){
|
||||
if(Auth::guard('user')->check() && Auth::user('user')->account_id === $account_id){
|
||||
// This is an admin; let them pretend to be a client
|
||||
$authenticated = true;
|
||||
}
|
||||
|
||||
// Does this account require portal passwords?
|
||||
$invitation_key = session('invitation_key');
|
||||
$account = Account::whereId($this->getInvitationAccountId($invitation_key))->first();
|
||||
$account = Account::whereId($account_id)->first();
|
||||
if(!$account->enable_portal_password || !$account->isPro()){
|
||||
$authenticated = true;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user