Prevent deleted invitations from accessing entity

2024-11-08 20:22:42 +01:00 · 2023-03-09 14:40:16 +11:00 · 2023-03-09 14:40:16 +11:00 · a18e55e1d1
commit a18e55e1d1
parent 043cc121b2
3 changed files with 4 additions and 3 deletions
--- a/app/Http/Controllers/ClientPortal/InvitationController.php
+++ b/app/Http/Controllers/ClientPortal/InvitationController.php
@ -85,7 +85,8 @@ class InvitationController extends Controller
                                    ->with('contact.client')
                                    ->firstOrFail();

-        if ($invitation->{$entity}->is_deleted) {
+        //09-03-2023 do not show entity if the invitation has been trashed.
+        if ($invitation->trashed() || $invitation->{$entity}->is_deleted) {
            return $this->render('generic.not_available', ['account' => $invitation->company->account, 'company' => $invitation->company]);
        }

--- a/phpstan.neon
+++ b/phpstan.neon
@ -2,4 +2,4 @@ parameters:
    level: 2
    paths:
        - app
-        - tests
+#        - tests
--- a/routes/api.php
+++ b/routes/api.php
@ -364,7 +364,7 @@ Route::match(['get', 'post'], 'payment_notification_webhook/{company_key}/{compa
    ->name('payment_notification_webhook');

 Route::post('api/v1/postmark_webhook', [PostMarkController::class, 'webhook'])->middleware('throttle:1000,1');
-Route::get('token_hash_router', [OneTimeTokenController::class, 'router'])->middleware('throttle:100,1');
+Route::get('token_hash_router', [OneTimeTokenController::class, 'router'])->middleware('throttle:500,1');
 Route::get('webcron', [WebCronController::class, 'index'])->middleware('throttle:100,1');
 Route::post('api/v1/get_migration_account', [HostedMigrationController::class, 'getAccount'])->middleware('guest')->middleware('throttle:100,1');
 Route::post('api/v1/confirm_forwarding', [HostedMigrationController::class, 'confirmForwarding'])->middleware('guest')->middleware('throttle:100,1');