don't show api company if not assigned

akaunting · Oct 12, 2017 · 7278e9a · 7278e9a
1 parent 819a8e4
commit 7278e9a
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/app/Http/Controllers/Api/Companies/Companies.php b/app/Http/Controllers/Api/Companies/Companies.php
@@ -36,6 +36,12 @@ public function index()
      */
     public function show(Company $company)
     {
+        // Check if user can access company
+        $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
+        if (!in_array($company->id, $companies)) {
+            $this->response->errorUnauthorized();
+        }
+
         $company->setSettings();
 
         return $this->response->item($company, new Transformer());
@@ -82,7 +88,7 @@ public function update(Company $company, Request $request)
         // Check if user can access company
         $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
         if (!in_array($company->id, $companies)) {
-            return $this->response->noContent();
+            $this->response->errorUnauthorized();
         }
 
         // Update company
@@ -116,11 +122,12 @@ public function destroy(Company $company)
     {
         // Check if user can access company
         $companies = app('Dingo\Api\Auth\Auth')->user()->companies()->pluck('id')->toArray();
-
-        if (in_array($company->id, $companies)) {
-            $company->delete();
+        if (!in_array($company->id, $companies)) {
+            $this->response->errorUnauthorized();
         }
 
+        $company->delete();
+
         return $this->response->noContent();
     }
 }