Restrict admin viewing of invoices to invoices in the same account

2016-03-07 20:25:43 -05:00 · 2016-03-07 20:25:43 -05:00 · 879e88dcc3
commit 879e88dcc3
parent 82fadab632
1 changed files with 4 additions and 3 deletions
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@ -32,15 +32,16 @@ class Authenticate {
 		}
 		
 		if($guard=='client'){
+			$invitation_key = session('invitation_key');
+			$account_id = $this->getInvitationAccountId($invitation_key);
 			
-			if(Auth::guard('user')->check()){
+			if(Auth::guard('user')->check() && Auth::user('user')->account_id === $account_id){
 				// This is an admin; let them pretend to be a client
 				$authenticated = true;
 			}
 			
 			// Does this account require portal passwords?
-			$invitation_key = session('invitation_key');
-			$account = Account::whereId($this->getInvitationAccountId($invitation_key))->first();
+			$account = Account::whereId($account_id)->first();
 			if(!$account->enable_portal_password || !$account->isPro()){
 				$authenticated = true;
 			}