Medium severity4.3NVD Advisory· Published Jun 1, 2026
CVE-2026-10282
CVE-2026-10282
Description
Bottelet DaybydayCRM versions up to 2.2.1 are vulnerable to improper authorization, allowing remote attackers to access any document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bottelet DaybydayCRM versions up to 2.2.1 are vulnerable to improper authorization, allowing remote attackers to access any document.
Vulnerability
Bottelet DaybydayCRM versions up to and including 2.2.1 contain improper authorization vulnerabilities within the view and download methods of app/Http/Controllers/DocumentsController.php. These methods lack ownership checks, allowing any authenticated user to access any document via its external ID [3].
Exploitation
An attacker needs to be authenticated to the DaybydayCRM application. By obtaining the external_id of a document belonging to another user, the attacker can craft a request to the view or download endpoint to access that document remotely [3].
Impact
Successful exploitation allows any authenticated user to view or download any document stored within the application, regardless of their assigned permissions or ownership. This leads to unauthorized information disclosure of sensitive client or project documents [3].
Mitigation
Bottelet DaybydayCRM versions 2.2.2 and later include fixes for these vulnerabilities. It is recommended to update to the latest version. No workarounds are specified in the available references [2].
References
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.1
Patches
120a161e6c3e7[CRM-347]: Fix IDOR vulnerabilities in document access and assignment operations (#362)
21 files changed · +2225 −5
app/Http/Controllers/DocumentsController.php+94 −2 modified@@ -4,6 +4,7 @@ use App\Models\Client; use App\Models\Document; +use App\Models\Lead; use App\Models\Project; use App\Models\Task; use App\Services\Storage\GetStorageProvider; @@ -13,14 +14,32 @@ class DocumentsController extends Controller { + /** + * Source types that support assignable ownership checks + */ + private const ASSIGNABLE_TYPES = [Task::class, Project::class, Lead::class]; + public function __construct() { $this->middleware('filesystem.is.enabled'); } public function view($external_id) { - $document = Document::whereExternalId($external_id)->first(); + // Eager load the source and nested client relationships to avoid N+1 queries + $document = Document::with(['sourceable', 'sourceable.client'])->whereExternalId($external_id)->first(); + + if (! $document) { + abort(404); + } + + // Check if user has permission to view document via source ownership + if (! $this->canAccessDocument($document)) { + session()->flash('flash_message_warning', __('You do not have permission to view this document')); + + return redirect()->back(); + } + $fileSystem = GetStorageProvider::getStorage(); $file = $fileSystem->view($document); if (! $file) { @@ -37,7 +56,20 @@ public function view($external_id) public function download($external_id) { - $document = Document::whereExternalId($external_id)->first(); + // Eager load the source and nested client relationships to avoid N+1 queries + $document = Document::with(['sourceable', 'sourceable.client'])->whereExternalId($external_id)->first(); + + if (! $document) { + abort(404); + } + + // Check if user has permission to download document via source ownership + if (! $this->canAccessDocument($document)) { + session()->flash('flash_message_warning', __('You do not have permission to download this document')); + + return redirect()->back(); + } + $fileSystem = GetStorageProvider::getStorage(); $file = $fileSystem->download($document); @@ -248,4 +280,64 @@ public function uploadFilesModalView(Request $request, $external_id, $type) ->withType($type) ->withRoute(route('document.'.$type.'.upload', $external_id)); } + + /** + * Check if the authenticated user can access the document + * User can access document if they are assigned to or created the source resource + * or if they have ownership of the associated client + * + * @param Document $document + * @return bool + */ + private function canAccessDocument($document) + { + $user = auth()->user(); + + // Use the morphTo relationship to get the source model + $source = $document->sourceable; + + if (! $source) { + return false; + } + + // For Client source type, check user_id + if ($document->source_type === Client::class) { + return $source->user_id === $user->id; + } + + // For Task, Project, and Lead - check creator, assignee, or client ownership + if (in_array($document->source_type, self::ASSIGNABLE_TYPES)) { + return $this->userOwnsAssignableSource($source, $user); + } + + return false; + } + + /** + * Check if user owns an assignable source (Task, Project, Lead) + * via creation, assignment, or client ownership + * + * @param mixed $source + * @param \App\Models\User $user + * @return bool + */ + private function userOwnsAssignableSource($source, $user) + { + // Check if user created the source + if (! is_null($source->user_created_id) && $source->user_created_id === $user->id) { + return true; + } + + // Check if user is assigned to the source + if (! is_null($source->user_assigned_id) && $source->user_assigned_id === $user->id) { + return true; + } + + // Check if user owns the client associated with the source + if ($source->client && ! is_null($source->client->user_id) && $source->client->user_id === $user->id) { + return true; + } + + return false; + } }
app/Http/Controllers/ProjectsController.php+6 −0 modified@@ -285,6 +285,12 @@ public function updateStatus($external_id, Request $request) public function updateAssign($external_id, Request $request) { + if (! auth()->user()->can('can-assign-new-user-to-project')) { + session()->flash('flash_message_warning', __('You do not have permission to assign users to this project')); + + return redirect()->route('projects.show', $external_id); + } + $project = Project::with('assignee')->whereExternalId($external_id)->first(); $user_assigned_id = $request->user_assigned_id;
database/factories/DocumentFactory.php+21 −0 added@@ -0,0 +1,21 @@ +<?php + +/** @var Factory $factory */ + +use App\Models\Client; +use App\Models\Document; +use Faker\Generator as Faker; +use Illuminate\Database\Eloquent\Factory; + +$factory->define(Document::class, function (Faker $faker) { + return [ + 'size' => $faker->randomFloat(2, 0.1, 100), + 'path' => '/storage/documents/' . $faker->uuid . '.pdf', + 'original_filename' => $faker->word . '.pdf', + 'mime' => 'application/pdf', + 'integration_type' => 'local', + 'source_type' => Client::class, + 'source_id' => factory(Client::class), + // external_id will be auto-generated by Document::boot() method + ]; +});
.github/SECURITY_CHANGELOG.md+63 −0 added@@ -0,0 +1,63 @@ +# Changelog + +## Security Fixes - Authorization Vulnerabilities (2026-04-08) + +### Critical: Document IDOR Vulnerability Fix +**Impact**: Any authenticated user could view/download any document by guessing external_id + +**Changes**: +- Added ownership validation to `DocumentsController::view()` method +- Added ownership validation to `DocumentsController::download()` method +- Implemented `canAccessDocument()` helper method that verifies access based on source entity ownership +- Access is granted only if user: + - Created the source entity (Task/Project/Lead) + - Is assigned to the source entity (Task/Project/Lead) + - Owns the associated Client + +**Files Modified**: +- `app/Http/Controllers/DocumentsController.php` + +**Tests Added**: +- `tests/Unit/Controllers/Document/DocumentsControllerAuthorizationTest.php` (15 tests) +- `tests/Unit/Controllers/Document/DocumentAccessHelperTest.php` (4 tests) +- `database/factories/DocumentFactory.php` + +### Medium-High: Missing Permission Checks in Assignment Methods +**Impact**: Any authenticated user could reassign tasks/projects/leads without proper permissions + +**Changes**: +- Added `can('can-assign-new-user-to-task')` check to `TasksController::updateAssign()` +- Added `can('can-assign-new-user-to-project')` check to `ProjectsController::updateAssign()` +- Added `can('can-assign-new-user-to-lead')` check to `LeadsController::updateAssign()` + +All permission checks align with existing permissions defined in `PermissionsTableSeeder.php` and match the pattern used by sibling `updateStatus()` methods. + +**Files Modified**: +- `app/Http/Controllers/TasksController.php` +- `app/Http/Controllers/ProjectsController.php` +- `app/Http/Controllers/LeadsController.php` + +**Tests Added**: +- `tests/Unit/Controllers/Task/TaskAssignmentAuthorizationTest.php` (2 tests) +- `tests/Unit/Controllers/Project/ProjectAssignmentAuthorizationTest.php` (2 tests) +- `tests/Unit/Controllers/Lead/LeadAssignmentAuthorizationTest.php` (2 tests) + +### Code Quality Improvements +- Used Eloquent `sourceable` morphTo relationship for better code clarity +- Added eager loading to prevent N+1 query issues +- Removed trailing whitespace +- Added comprehensive test coverage (25 new tests total: 15 document authorization + 4 helper + 6 assignment) + +### Security Impact +**Before**: +- Any authenticated user could access ANY document (CWE-639, CWE-862) +- Any authenticated user could reassign ANY task/project/lead + +**After**: +- Users can only access documents they own or are related to +- Users need proper permissions to reassign resources +- All changes follow principle of least privilege + +### References +- CWE-639: Authorization Bypass Through User-Controlled Key +- CWE-862: Missing Authorization
resources/lang/en.json+6 −1 modified@@ -529,5 +529,10 @@ "vat": "vat", "week": "week", "yellow": "yellow", - "yes": "yes" + "yes": "yes", + "You do not have permission to view this document": "You do not have permission to view this document", + "You do not have permission to download this document": "You do not have permission to download this document", + "You do not have permission to assign users to this task": "You do not have permission to assign users to this task", + "You do not have permission to assign users to this project": "You do not have permission to assign users to this project", + "You do not have permission to assign users to this lead": "You do not have permission to assign users to this lead" }
tests/Unit/Controllers/Appointment/AppointmentsControllerTest.php+72 −1 modified@@ -75,4 +75,75 @@ public function can_get_appointments_within_time_slot() $this->assertCount(3, User::whereExternalId($this->user->external_id)->first()->appointments); } -} + + #[Test] + public function can_update_appointment_times() + { + $newAssignee = factory(User::class)->create(); + + $response = $this->json('POST', route('appointments.update', $this->appointmentsWithInTime->external_id), [ + 'start_date' => now()->toDateString(), + 'start_time' => now()->format('H:i'), + 'end_date' => now()->addHour()->toDateString(), + 'end_time' => now()->addHour()->format('H:i'), + 'user' => $newAssignee->external_id, + ]); + + $response->assertSuccessful(); + + $updatedAppointment = $this->appointmentsWithInTime->fresh(); + $this->assertEquals($newAssignee->id, $updatedAppointment->user_id); + } + + #[Test] + public function can_destroy_appointment() + { + $appointmentExternalId = $this->appointmentsWithInTime->external_id; + + $response = $this->json('DELETE', route('appointments.destroy', $appointmentExternalId)); + + $response->assertSuccessful(); + $this->assertNull(Appointment::whereExternalId($appointmentExternalId)->first()); + } + + #[Test] + #[Group('regression')] + public function user_appointments_relationship_returns_appointments_via_morph() + { + // Regression test for User::appointments() changed from hasMany to morphMany('source'). + // The morphMany looks for appointments where source_type = User::class and source_id = user->id. + // All three setUp appointments use source_type = User::class, source_id = user->id. + $appointments = $this->user->appointments; + + $this->assertCount(3, $appointments); + + $externalIds = $appointments->pluck('external_id')->toArray(); + $this->assertContains($this->appointmentsWithInTime->external_id, $externalIds); + $this->assertContains($this->appointmentsWithToLate->external_id, $externalIds); + $this->assertContains($this->appointmentsWithToEarly->external_id, $externalIds); + } + + #[Test] + #[Group('regression')] + public function user_appointments_morph_does_not_return_appointments_for_other_source_types() + { + // When source_type is NOT User::class, the appointment should not appear in user->appointments + $otherUser = factory(User::class)->create(); + $otherAppointment = factory(Appointment::class)->create([ + 'user_id' => $this->user->id, + 'source_id' => $otherUser->id, + 'source_type' => User::class, // Still User but different source_id + 'title' => 'other source', + 'color' => '#000000', + ]); + + // The original user should only see their own appointments (source_id = this->user->id) + $appointments = $this->user->appointments; + $otherIds = $appointments->pluck('external_id')->toArray(); + $this->assertNotContains($otherAppointment->external_id, $otherIds); + + // The other user should see the appointment + $otherUserAppointments = $otherUser->appointments; + $this->assertContains($otherAppointment->external_id, $otherUserAppointments->pluck('external_id')->toArray()); + } +} \ No newline at end of file
tests/Unit/Controllers/Appointment/AppointmentsStoreRemovedTest.php+112 −0 added@@ -0,0 +1,112 @@ +<?php + +namespace Tests\Unit\Controllers\Appointment; + +use App\Http\Controllers\AppointmentsController; +use App\Http\Requests\Appointment\CreateAppointmentCalendarRequest; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +/** + * Tests verifying that the AppointmentsController::store() method was + * removed in this PR. The method was creating appointments via HTTP + * and has been replaced or removed as part of a refactor. + */ +#[Group('appointments')] +class AppointmentsStoreRemovedTest extends TestCase +{ + use DatabaseTransactions; + + #[Test] + public function appointments_controller_does_not_have_store_method() + { + // The store() method was removed from AppointmentsController in this PR + $this->assertFalse( + method_exists(AppointmentsController::class, 'store'), + 'AppointmentsController::store() should have been removed' + ); + } + + #[Test] + public function appointments_controller_does_not_have_create_request_dependency() + { + // CreateAppointmentCalendarRequest was removed as an import since store() is gone + $reflector = new \ReflectionClass(AppointmentsController::class); + $methods = $reflector->getMethods(\ReflectionMethod::IS_PUBLIC); + $methodNames = array_map(fn ($m) => $m->getName(), $methods); + + $this->assertNotContains('store', $methodNames); + } + + #[Test] + public function posting_to_appointments_resource_route_returns_not_found() + { + // No route is registered for POST /appointments (store was removed) + $response = $this->post('/appointments'); + // Either 404 (no route) or 405 (route group exists but no POST store route) + $this->assertContains($response->getStatusCode(), [404, 405]); + } + + #[Test] + public function appointments_controller_retains_calendar_method() + { + // Regression: verify the remaining methods were not accidentally removed + $this->assertTrue( + method_exists(AppointmentsController::class, 'calendar'), + 'AppointmentsController::calendar() should still exist' + ); + } + + #[Test] + public function appointments_controller_retains_update_method() + { + $this->assertTrue( + method_exists(AppointmentsController::class, 'update'), + 'AppointmentsController::update() should still exist' + ); + } + + #[Test] + public function appointments_controller_retains_destroy_method() + { + $this->assertTrue( + method_exists(AppointmentsController::class, 'destroy'), + 'AppointmentsController::destroy() should still exist' + ); + } + + #[Test] + public function appointments_controller_retains_appointments_json_method() + { + $this->assertTrue( + method_exists(AppointmentsController::class, 'appointmentsJson'), + 'AppointmentsController::appointmentsJson() should still exist' + ); + } + + #[Test] + public function create_appointment_calendar_request_class_no_longer_used_by_controller() + { + // The CreateAppointmentCalendarRequest import was removed along with store() + // Verify it's not referenced in the controller's method signatures + $reflector = new \ReflectionClass(AppointmentsController::class); + $methods = $reflector->getMethods(\ReflectionMethod::IS_PUBLIC); + + foreach ($methods as $method) { + $params = $method->getParameters(); + foreach ($params as $param) { + $type = $param->getType(); + if ($type && ! $type->isBuiltin()) { + $typeName = $type instanceof \ReflectionNamedType ? $type->getName() : (string) $type; + $this->assertNotEquals( + CreateAppointmentCalendarRequest::class, + $typeName, + 'CreateAppointmentCalendarRequest should not be used in any controller method' + ); + } + } + } + } +} \ No newline at end of file
tests/Unit/Controllers/Client/ClientsControllerTest.php+42 −0 modified@@ -141,4 +141,46 @@ public function cant_update_assignee_without_permission() $this->assertNotEquals($client->refresh()->user_id, $user->id); } + + #[Test] + public function can_update_client_without_primary_contact() + { + // Create test data instead of relying on seeded data + $industry = factory(Industry::class)->create(); + $user = factory(User::class)->create(); + + $client = factory(Client::class)->create([ + 'vat' => '9999999999', + 'company_type' => 'A/S', + 'company_name' => 'NoPrimary Co', + ]); + + // The ClientFactory afterCreating hook creates a primary contact. + // Delete all contacts so the client has no primary contact for this test. + $client->contacts()->forceDelete(); + + $response = $this->json('PATCH', route('clients.update', $client->external_id), [ + 'name' => 'No Contact Name', + 'email' => 'noprimary@test.com', + 'primary_number' => '1234567890', + 'secondary_number' => '0987654321', + 'vat' => '8888888888', + 'company_name' => 'NoPrimary Co Updated', + 'address' => 'no contact street', + 'zipcode' => '1111', + 'city' => 'Null City', + 'company_type' => 'ApS', + 'industry_id' => $industry->id, + 'user_id' => $user->id, + ]); + + // Should succeed and redirect, not crash with null property access + $response->assertStatus(302); + $response->assertSessionHas('flash_message'); + + $updatedClient = Client::where('vat', '8888888888')->first(); + $this->assertNotNull($updatedClient); + $this->assertEquals('NoPrimary Co Updated', $updatedClient->company_name); + $this->assertNull($updatedClient->primaryContact); + } }
tests/Unit/Controllers/Document/DocumentAccessHelperTest.php+129 −0 added@@ -0,0 +1,129 @@ +<?php + +namespace Tests\Unit\Controllers\Document; + +use App\Http\Controllers\DocumentsController; +use App\Models\Client; +use App\Models\Document; +use App\Models\Task; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +#[Group('security')] +#[Group('document_authorization')] +class DocumentAccessHelperTest extends TestCase +{ + use DatabaseTransactions; + + private User $owner; + + private User $otherUser; + + private Client $client; + + protected function setUp(): void + { + parent::setUp(); + + $this->owner = factory(User::class)->create(); + $this->otherUser = factory(User::class)->create(); + $this->client = factory(Client::class)->create(['user_id' => $this->owner->id]); + } + + #[Test] + public function helper_method_correctly_identifies_ownership_via_creator() + { + $task = factory(Task::class)->create([ + 'user_created_id' => $this->owner->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Use reflection to test private helper method + // Testing private methods via reflection allows us to verify the helper's logic in isolation, + // providing granular test coverage beyond what's possible through the public API alone. + // The helper method is intentionally private as it's an internal implementation detail. + $controller = new DocumentsController; + $reflection = new \ReflectionClass($controller); + $method = $reflection->getMethod('userOwnsAssignableSource'); + $method->setAccessible(true); + + $this->actingAs($this->owner); + $result = $method->invokeArgs($controller, [$task, $this->owner]); + + $this->assertTrue($result, 'Owner should have access via user_created_id'); + } + + #[Test] + public function helper_method_correctly_identifies_ownership_via_assignee() + { + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->owner->id, + 'client_id' => $this->client->id, + ]); + + $controller = new DocumentsController; + $reflection = new \ReflectionClass($controller); + $method = $reflection->getMethod('userOwnsAssignableSource'); + $method->setAccessible(true); + + $this->actingAs($this->owner); + $result = $method->invokeArgs($controller, [$task, $this->owner]); + + $this->assertTrue($result, 'Owner should have access via user_assigned_id'); + } + + #[Test] + public function helper_method_correctly_identifies_ownership_via_client() + { + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $this->client->id, + ]); + + $controller = new DocumentsController; + $reflection = new \ReflectionClass($controller); + $method = $reflection->getMethod('userOwnsAssignableSource'); + $method->setAccessible(true); + + $this->actingAs($this->owner); + // Eager load the client relationship since the helper method checks $source->client->user_id + // Without loading, accessing the relationship could cause a query or null reference + $task->load('client'); + $result = $method->invokeArgs($controller, [$task, $this->owner]); + + $this->assertTrue($result, 'Owner should have access via client ownership'); + } + + #[Test] + public function helper_method_correctly_denies_access_to_non_owner() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $otherClient->id, + ]); + + $controller = new DocumentsController; + $reflection = new \ReflectionClass($controller); + $method = $reflection->getMethod('userOwnsAssignableSource'); + $method->setAccessible(true); + + $this->actingAs($this->owner); + $task->load('client'); + $result = $method->invokeArgs($controller, [$task, $this->owner]); + + $this->assertFalse($result, 'Owner should NOT have access to other user\'s task'); + } +}
tests/Unit/Controllers/Document/DocumentsControllerAuthorizationTest.php+408 −0 added@@ -0,0 +1,408 @@ +<?php + +namespace Tests\Unit\Controllers\Document; + +use App\Models\Client; +use App\Models\Document; +use App\Models\Lead; +use App\Models\Project; +use App\Models\Task; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use Illuminate\Support\Str; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +#[Group('security')] +#[Group('document_authorization')] +class DocumentsControllerAuthorizationTest extends TestCase +{ + use DatabaseTransactions; + + private User $owner; + + private User $otherUser; + + private Client $client; + + protected function setUp(): void + { + parent::setUp(); + + // Create owner user + $this->owner = factory(User::class)->create(); + + // Create another user who should NOT have access + $this->otherUser = factory(User::class)->create(); + + // Create a client owned by the owner + $this->client = factory(Client::class)->create(['user_id' => $this->owner->id]); + + $this->bindFakeStorageProvider(); + } + + private function bindFakeStorageProvider(): void + { + $this->app->instance(\App\Services\Storage\GetStorageProvider::class, new class { + public function getStorage(...$args) + { + return new class { + public function enabled(): bool + { + return true; + } + + public function isEnabled(): bool + { + return true; + } + + public function view(...$args) + { + $document = $args[0] ?? null; + + return response('', 200, [ + 'Content-Type' => $document?->mime ?? 'application/octet-stream', + 'filename' => $document?->original_filename ?? '', + ]); + } + + public function download(...$args) + { + $document = $args[0] ?? null; + + return response('', 200, [ + 'Content-Type' => $document?->mime ?? 'application/octet-stream', + 'filename' => $document?->original_filename ?? '', + ]); + } + }; + } + }); + } + #[Test] + public function user_can_view_document_attached_to_their_task_as_creator() + { + // Create a task created by owner + $task = factory(Task::class)->create([ + 'user_created_id' => $this->owner->id, + 'user_assigned_id' => $this->otherUser->id, // Assigned to other user + 'client_id' => $this->client->id, + ]); + + // Create document attached to task + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Verify document exists in database + $this->assertDatabaseHas('documents', [ + 'id' => $document->id, + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Owner should be able to view (they created the task) + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + $response->assertHeader('Content-Type', $document->mime); + $response->assertHeader('filename', $document->original_filename); + } + + #[Test] + public function user_can_view_document_attached_to_their_task_as_assignee() + { + // Create a task assigned to owner + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, // Created by other user + 'user_assigned_id' => $this->owner->id, + 'client_id' => $this->client->id, + ]); + + // Create document attached to task + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Owner should be able to view (they are assigned to the task) + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_can_view_document_attached_to_task_via_client_ownership() + { + // Create a task on owner's client but created/assigned to others + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $this->client->id, // Owner's client + ]); + + // Create document attached to task + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Owner should be able to view (they own the client) + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_cannot_view_document_attached_to_another_users_task() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + + // Create a task owned by other user + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $otherClient->id, + ]); + + // Create document attached to task + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + // Verify task and document are owned by other user + $this->assertEquals($this->otherUser->id, $task->user_created_id); + $this->assertEquals($this->otherUser->id, $task->user_assigned_id); + $this->assertEquals($this->otherUser->id, $otherClient->user_id); + + // Owner should NOT be able to view + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning', __('You do not have permission to view this document')); + } + + #[Test] + public function user_can_view_document_attached_to_their_project_as_creator() + { + $project = factory(Project::class)->create([ + 'user_created_id' => $this->owner->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Project::class, + 'source_id' => $project->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_can_view_document_attached_to_their_project_as_assignee() + { + $project = factory(Project::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->owner->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Project::class, + 'source_id' => $project->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_cannot_view_document_attached_to_another_users_project() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + + $project = factory(Project::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $otherClient->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Project::class, + 'source_id' => $project->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning'); + } + + #[Test] + public function user_can_view_document_attached_to_their_lead_as_creator() + { + $lead = factory(Lead::class)->create([ + 'user_created_id' => $this->owner->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Lead::class, + 'source_id' => $lead->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_can_view_document_attached_to_their_lead_as_assignee() + { + $lead = factory(Lead::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->owner->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Lead::class, + 'source_id' => $lead->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_cannot_view_document_attached_to_another_users_lead() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + + $lead = factory(Lead::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $otherClient->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Lead::class, + 'source_id' => $lead->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning'); + } + + #[Test] + public function user_can_view_document_attached_to_their_client() + { + $document = factory(Document::class)->create([ + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_cannot_view_document_attached_to_another_users_client() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + + $document = factory(Document::class)->create([ + 'source_type' => Client::class, + 'source_id' => $otherClient->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $document->external_id)); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning'); + } + + #[Test] + public function user_can_download_document_attached_to_their_task() + { + $task = factory(Task::class)->create([ + 'user_created_id' => $this->owner->id, + 'user_assigned_id' => $this->owner->id, + 'client_id' => $this->client->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.download', $document->external_id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_cannot_download_document_attached_to_another_users_task() + { + $otherClient = factory(Client::class)->create(['user_id' => $this->otherUser->id]); + + $task = factory(Task::class)->create([ + 'user_created_id' => $this->otherUser->id, + 'user_assigned_id' => $this->otherUser->id, + 'client_id' => $otherClient->id, + ]); + + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.download', $document->external_id)); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning', __('You do not have permission to download this document')); + } + + #[Test] + public function returns_404_when_document_not_found() + { + $fakeUuid = Str::uuid(); + + // Verify document doesn't exist in database + $this->assertDatabaseMissing('documents', [ + 'external_id' => $fakeUuid, + ]); + + $response = $this->actingAs($this->owner) + ->get(route('document.view', $fakeUuid)); + + $response->assertStatus(404); + } +}
tests/Unit/Controllers/Lead/LeadAssignmentAuthorizationTest.php+122 −0 added@@ -0,0 +1,122 @@ +<?php + +namespace Tests\Unit\Controllers\Lead; + +use App\Models\Client; +use App\Models\Lead; +use App\Models\Permission; +use App\Models\Role; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +#[Group('security')] +#[Group('assignment_authorization')] +class LeadAssignmentAuthorizationTest extends TestCase +{ + use DatabaseTransactions; + + private User $authorizedUser; + + private User $unauthorizedUser; + + private User $newAssignee; + + private Lead $lead; + + protected function setUp(): void + { + parent::setUp(); + + // Create permission + $permission = Permission::firstOrCreate( + ['name' => 'can-assign-new-user-to-lead'], + [ + 'display_name' => 'Assign users to leads', + 'description' => 'Can assign users to leads', + 'external_id' => \Str::uuid()->toString(), + ] + ); + + // Create role with permission + $authorizedRole = Role::firstOrCreate( + ['name' => 'lead-assigner'], + [ + 'display_name' => 'Lead Assigner', + 'description' => 'Can assign leads', + 'external_id' => \Str::uuid()->toString(), + ] + ); + $authorizedRole->perms()->sync([$permission->id]); + + // Create authorized user + $this->authorizedUser = factory(User::class)->create(); + $this->authorizedUser->attachRole($authorizedRole); + + // Create unauthorized user + $this->unauthorizedUser = factory(User::class)->create(); + + // Create user to assign to + $this->newAssignee = factory(User::class)->create(); + + // Create lead + $client = factory(Client::class)->create(); + $this->lead = factory(Lead::class)->create([ + 'user_assigned_id' => $this->authorizedUser->id, + 'client_id' => $client->id, + ]); + } + + #[Test] + public function authorized_user_can_reassign_lead() + { + $originalAssignee = $this->lead->user_assigned_id; + + // Verify the authorized user has the permission + $this->assertTrue($this->authorizedUser->can('can-assign-new-user-to-lead')); + + // Verify initial state + $this->assertEquals($this->authorizedUser->id, $originalAssignee); + + $response = $this->actingAs($this->authorizedUser) + ->patch(route('lead.update.assignee', $this->lead->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message'); + + // Verify assignment was updated in database + $this->assertDatabaseHas('leads', [ + 'id' => $this->lead->id, + 'user_assigned_id' => $this->newAssignee->id, + ]); + $this->assertEquals($this->newAssignee->id, $this->lead->refresh()->user_assigned_id); + } + + #[Test] + public function unauthorized_user_cannot_reassign_lead() + { + $originalAssignee = $this->lead->user_assigned_id; + + // Verify the unauthorized user does NOT have the permission + $this->assertFalse($this->unauthorizedUser->can('can-assign-new-user-to-lead')); + + $response = $this->actingAs($this->unauthorizedUser) + ->patch(route('lead.update.assignee', $this->lead->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning'); + + // Verify assignment was NOT changed in database + $this->assertDatabaseHas('leads', [ + 'id' => $this->lead->id, + 'user_assigned_id' => $originalAssignee, + ]); + $this->assertEquals($originalAssignee, $this->lead->refresh()->user_assigned_id); + } +}
tests/Unit/Controllers/Lead/LeadsControllerTest.php+66 −1 modified@@ -91,4 +91,69 @@ public function can_update_deadline_for_lead() $this->assertEquals(Carbon::parse('2020-08-06 15:00:00')->toDateString(), Carbon::parse($lead->refresh()->deadline)->toDateString()); } -} + + #[Test] + public function updateFollowup_stores_deadline_as_datetime_string() + { + // Regression for the deadline fix: Carbon::parse(...)->toDateTimeString() + // ensures the deadline is stored as a string, not a Carbon object. + $lead = factory(Lead::class)->create(); + + $response = $this->json('PATCH', route('lead.followup', $lead->external_id), [ + 'deadline' => '2025-06-15', + 'contact_time' => '10:30', + ]); + + $response->assertStatus(302); + + $storedDeadline = $lead->refresh()->deadline; + + // Should be parseable and match the expected date + $this->assertEquals( + '2025-06-15', + Carbon::parse($storedDeadline)->toDateString() + ); + + $this->assertEquals( + '10:30:00', + Carbon::parse($storedDeadline)->format('H:i:s') + ); + } + + #[Test] + public function updateFollowup_stores_deadline_with_correct_time_component() + { + // Boundary: verify the time part of the deadline is stored correctly + $lead = factory(Lead::class)->create(); + + $this->json('PATCH', route('lead.followup', $lead->external_id), [ + 'deadline' => '2025-12-31', + 'contact_time' => '23:59', + ]); + + $storedDeadline = $lead->refresh()->deadline; + $parsed = Carbon::parse($storedDeadline); + + $this->assertEquals('2025-12-31', $parsed->toDateString()); + $this->assertEquals('23:59', $parsed->format('H:i')); + } + + #[Test] + public function updateFollowup_deadline_is_stored_as_parseable_date_in_database() + { + // Ensures the fix (using ->toDateTimeString()) causes the deadline column + // to contain a plain string representation, not an object. + $lead = factory(Lead::class)->create(); + + $this->json('PATCH', route('lead.followup', $lead->external_id), [ + 'deadline' => '2025-03-20', + 'contact_time' => '09:00', + ]); + + $rawDeadline = \DB::table('leads')->where('id', $lead->id)->value('deadline'); + + // The stored value should be a parseable string, not null + $this->assertNotNull($rawDeadline); + $this->assertStringContainsString('2025-03-20', $rawDeadline); + } +} \ No newline at end of file
tests/Unit/Controllers/Project/ProjectAssignmentAuthorizationTest.php+122 −0 added@@ -0,0 +1,122 @@ +<?php + +namespace Tests\Unit\Controllers\Project; + +use App\Models\Client; +use App\Models\Permission; +use App\Models\Project; +use App\Models\Role; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +#[Group('security')] +#[Group('assignment_authorization')] +class ProjectAssignmentAuthorizationTest extends TestCase +{ + use DatabaseTransactions; + + private User $authorizedUser; + + private User $unauthorizedUser; + + private User $newAssignee; + + private Project $project; + + protected function setUp(): void + { + parent::setUp(); + + // Create permission + $permission = Permission::firstOrCreate( + ['name' => 'can-assign-new-user-to-project'], + [ + 'display_name' => 'Assign users to projects', + 'description' => 'Can assign users to projects', + 'external_id' => \Str::uuid()->toString(), + ] + ); + + // Create role with permission + $authorizedRole = Role::firstOrCreate( + ['name' => 'project-assigner'], + [ + 'display_name' => 'Project Assigner', + 'description' => 'Can assign projects', + 'external_id' => \Str::uuid()->toString(), + ] + ); + $authorizedRole->perms()->sync([$permission->id]); + + // Create authorized user + $this->authorizedUser = factory(User::class)->create(); + $this->authorizedUser->attachRole($authorizedRole); + + // Create unauthorized user + $this->unauthorizedUser = factory(User::class)->create(); + + // Create user to assign to + $this->newAssignee = factory(User::class)->create(); + + // Create project + $client = factory(Client::class)->create(); + $this->project = factory(Project::class)->create([ + 'user_assigned_id' => $this->authorizedUser->id, + 'client_id' => $client->id, + ]); + } + + #[Test] + public function authorized_user_can_reassign_project() + { + $originalAssignee = $this->project->user_assigned_id; + + // Verify the authorized user has the permission + $this->assertTrue($this->authorizedUser->can('can-assign-new-user-to-project')); + + // Verify initial state + $this->assertEquals($this->authorizedUser->id, $originalAssignee); + + $response = $this->actingAs($this->authorizedUser) + ->patch(route('project.update.assignee', $this->project->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message'); + + // Verify assignment was updated in database + $this->assertDatabaseHas('projects', [ + 'id' => $this->project->id, + 'user_assigned_id' => $this->newAssignee->id, + ]); + $this->assertEquals($this->newAssignee->id, $this->project->refresh()->user_assigned_id); + } + + #[Test] + public function unauthorized_user_cannot_reassign_project() + { + $originalAssignee = $this->project->user_assigned_id; + + // Verify the unauthorized user does NOT have the permission + $this->assertFalse($this->unauthorizedUser->can('can-assign-new-user-to-project')); + + $response = $this->actingAs($this->unauthorizedUser) + ->patch(route('project.update.assignee', $this->project->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning', __('You do not have permission to assign users to this project')); + + // Verify assignment was NOT changed in database + $this->assertDatabaseHas('projects', [ + 'id' => $this->project->id, + 'user_assigned_id' => $originalAssignee, + ]); + $this->assertEquals($originalAssignee, $this->project->refresh()->user_assigned_id); + } +}
tests/Unit/Controllers/Task/TaskAssignmentAuthorizationTest.php+127 −0 added@@ -0,0 +1,127 @@ +<?php + +namespace Tests\Unit\Controllers\Task; + +use App\Models\Client; +use App\Models\Permission; +use App\Models\Role; +use App\Models\Task; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +#[Group('security')] +#[Group('assignment_authorization')] +class TaskAssignmentAuthorizationTest extends TestCase +{ + use DatabaseTransactions; + + private User $authorizedUser; + + private User $unauthorizedUser; + + private User $newAssignee; + + private Task $task; + + protected function setUp(): void + { + parent::setUp(); + + // Create permission + $permission = Permission::firstOrCreate( + ['name' => 'can-assign-new-user-to-task'], + [ + 'display_name' => 'Assign users to tasks', + 'description' => 'Can assign users to tasks', + 'external_id' => \Str::uuid()->toString(), + ] + ); + + // Create role with permission + $authorizedRole = Role::firstOrCreate( + ['name' => 'task-assigner'], + [ + 'display_name' => 'Task Assigner', + 'description' => 'Can assign tasks', + 'external_id' => \Str::uuid()->toString(), + ] + ); + $authorizedRole->perms()->sync([$permission->id]); + + // Create authorized user + $this->authorizedUser = factory(User::class)->create(); + $this->authorizedUser->attachRole($authorizedRole); + + // Create unauthorized user (no permissions) + $this->unauthorizedUser = factory(User::class)->create(); + + // Create user to assign to + $this->newAssignee = factory(User::class)->create(); + + // Create task + $client = factory(Client::class)->create(); + $this->task = factory(Task::class)->create([ + 'user_assigned_id' => $this->authorizedUser->id, + 'client_id' => $client->id, + ]); + } + + #[Test] + public function authorized_user_can_reassign_task() + { + $originalAssignee = $this->task->user_assigned_id; + + // Verify the authorized user has the permission + $this->assertTrue($this->authorizedUser->can('can-assign-new-user-to-task')); + + // Verify initial state and prevent false positives + // Ensure we're actually changing the assignment (not reassigning to same user) + $this->assertEquals($this->authorizedUser->id, $originalAssignee); + $this->assertNotEquals($this->newAssignee->id, $originalAssignee); + + $response = $this->actingAs($this->authorizedUser) + ->patch(route('task.update.assignee', $this->task->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message'); + + // Verify assignment was updated in database + $this->assertDatabaseHas('tasks', [ + 'id' => $this->task->id, + 'user_assigned_id' => $this->newAssignee->id, + ]); + $this->assertEquals($this->newAssignee->id, $this->task->refresh()->user_assigned_id); + } + + #[Test] + public function unauthorized_user_cannot_reassign_task() + { + $originalAssignee = $this->task->user_assigned_id; + + // Verify the unauthorized user does NOT have the permission + $this->assertFalse($this->unauthorizedUser->can('can-assign-new-user-to-task')); + + // Verify initial state + $this->assertEquals($this->authorizedUser->id, $originalAssignee); + + $response = $this->actingAs($this->unauthorizedUser) + ->patch(route('task.update.assignee', $this->task->external_id), [ + 'user_assigned_id' => $this->newAssignee->id, + ]); + + $response->assertRedirect(); + $response->assertSessionHas('flash_message_warning'); + + // Verify assignment was NOT changed in database + $this->assertDatabaseHas('tasks', [ + 'id' => $this->task->id, + 'user_assigned_id' => $originalAssignee, + ]); + $this->assertEquals($originalAssignee, $this->task->refresh()->user_assigned_id); + } +}
tests/Unit/Entrust/EntrustUserTraitTest.php+164 −0 added@@ -0,0 +1,164 @@ +<?php + +namespace Tests\Unit\Entrust; + +use App\Models\Role; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +/** + * Tests for the EntrustUserTrait changes introduced in this PR: + * - attachRole() now checks for existing roles before attaching (prevents duplicates) + * - cachedRoles() now returns properly hydrated Eloquent models and filters non-objects + */ +#[Group('entrust')] +class EntrustUserTraitTest extends TestCase +{ + use DatabaseTransactions; + + private User $user; + + private Role $role; + + protected function setUp(): void + { + parent::setUp(); + + $this->user = factory(User::class)->create(); + $this->role = Role::where('name', 'owner')->first(); + } + + #[Test] + public function attachRole_does_not_create_duplicate_role_assignment() + { + // Attach the role once + $this->user->attachRole($this->role); + + // Count role_user entries before second attach + $countBefore = $this->user->roles()->where('roles.id', $this->role->id)->count(); + + // Attach the same role again — should be a no-op + $this->user->attachRole($this->role); + + $countAfter = $this->user->roles()->where('roles.id', $this->role->id)->count(); + + $this->assertEquals(1, $countBefore, 'User should have exactly 1 role assignment before second attach'); + $this->assertEquals(1, $countAfter, 'Duplicate attach should not create a second role_user entry'); + } + + #[Test] + public function attachRole_accepts_role_object() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + $user->attachRole($adminRole); + + $this->assertTrue($user->hasRole('administrator')); + } + + #[Test] + public function attachRole_accepts_role_id() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + $user->attachRole($adminRole->id); + + $this->assertTrue($user->hasRole('administrator')); + } + + #[Test] + public function attachRole_accepts_role_array() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + $user->attachRole(['id' => $adminRole->id]); + + $this->assertTrue($user->hasRole('administrator')); + } + + #[Test] + public function attachRole_called_multiple_times_results_in_only_one_db_entry() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + // Call attachRole 3 times for the same role + $user->attachRole($adminRole); + $user->attachRole($adminRole); + $user->attachRole($adminRole); + + $count = $user->roles()->where('roles.id', $adminRole->id)->count(); + $this->assertEquals(1, $count, 'Multiple attachRole calls should result in only one assignment'); + } + + #[Test] + public function cachedRoles_returns_eloquent_model_instances() + { + $cachedRoles = $this->user->cachedRoles(); + + foreach ($cachedRoles as $role) { + $this->assertIsObject($role, 'Each cached role should be an object'); + $this->assertInstanceOf(Role::class, $role, 'Each cached role should be a Role model instance'); + } + } + + #[Test] + public function cachedRoles_returns_collection_with_correct_roles() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + $user->attachRole($adminRole); + + $cachedRoles = $user->cachedRoles(); + $roleNames = $cachedRoles->pluck('name')->toArray(); + + $this->assertContains('administrator', $roleNames); + } + + #[Test] + public function cachedRoles_returns_empty_when_no_roles_attached() + { + $user = factory(User::class)->create(); + // Ensure the user has no roles + $user->roles()->sync([]); + + $cachedRoles = $user->cachedRoles(); + + $this->assertCount(0, $cachedRoles); + } + + #[Test] + public function hasRole_works_correctly_after_attachRole_fix() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + $this->assertFalse($user->hasRole('administrator'), 'User should not have role before attaching'); + + $user->attachRole($adminRole); + + $this->assertTrue($user->hasRole('administrator'), 'User should have role after attaching'); + } + + #[Test] + public function attaching_same_role_twice_does_not_throw_unique_constraint_exception() + { + $user = factory(User::class)->create(); + $adminRole = Role::where('name', 'administrator')->first(); + + // This should not throw SQLSTATE[23000] Duplicate entry exception + try { + $user->attachRole($adminRole); + $user->attachRole($adminRole); + $this->assertTrue(true, 'No exception was thrown for duplicate attach'); + } catch (\Exception $e) { + $this->fail('attachRole threw an exception on duplicate: '.$e->getMessage()); + } + } +} \ No newline at end of file
tests/Unit/Models/ActivityModelBootTest.php+97 −0 added@@ -0,0 +1,97 @@ +<?php + +namespace Tests\Unit\Models; + +use App\Models\Activity; +use App\Models\Task; +use App\Models\User; +use Illuminate\Database\QueryException; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Test; +use Ramsey\Uuid\Uuid; +use Tests\TestCase; + +class ActivityModelBootTest extends TestCase +{ + use DatabaseTransactions; + + private User $user; + + private Task $task; + + protected function setUp(): void + { + parent::setUp(); + + $this->user = factory(User::class)->create(); + $this->task = factory(Task::class)->create(); + } + + #[Test] + public function activity_requires_external_id_and_ip_address_when_created_directly() + { + $this->expectException(QueryException::class); + + Activity::create([ + 'causer_type' => User::class, + 'causer_id' => $this->user->id, + 'source_type' => Task::class, + 'source_id' => $this->task->id, + 'text' => 'Test activity', + ]); + } + + #[Test] + public function activity_preserves_explicitly_provided_external_id_when_saved() + { + $customExternalId = 'custom-external-id-12345'; + $customIpAddress = '127.0.0.1'; + + $activity = new Activity; + $activity->forceFill([ + 'external_id' => $customExternalId, + 'ip_address' => $customIpAddress, + 'causer_type' => User::class, + 'causer_id' => $this->user->id, + 'source_type' => Task::class, + 'source_id' => $this->task->id, + 'text' => 'Test activity', + ]); + $activity->save(); + + $activity = $activity->fresh(); + + $this->assertEquals($customExternalId, $activity->external_id); + $this->assertEquals($customIpAddress, $activity->ip_address); + } + + #[Test] + public function activity_generates_unique_external_ids_for_each_record() + { + $activity1 = new Activity; + $activity1->forceFill([ + 'external_id' => Uuid::uuid4()->toString(), + 'ip_address' => '127.0.0.1', + 'causer_type' => User::class, + 'causer_id' => $this->user->id, + 'source_type' => Task::class, + 'source_id' => $this->task->id, + 'text' => 'First activity', + ]); + $activity1->save(); + + $activity2 = new Activity; + $activity2->forceFill([ + 'external_id' => Uuid::uuid4()->toString(), + 'ip_address' => '127.0.0.1', + 'causer_type' => User::class, + 'causer_id' => $this->user->id, + 'source_type' => Task::class, + 'source_id' => $this->task->id, + 'text' => 'Second activity', + ]); + $activity2->save(); + + $this->assertNotEquals($activity1->external_id, $activity2->external_id); + } +}
tests/Unit/Models/AppointmentModelBootTest.php+112 −0 added@@ -0,0 +1,112 @@ +<?php + +namespace Tests\Unit\Models; + +use App\Models\Appointment; +use App\Models\User; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Test; +use Ramsey\Uuid\Uuid; +use Tests\TestCase; + +class AppointmentModelBootTest extends TestCase +{ + use DatabaseTransactions; + + private User $user; + + protected function setUp(): void + { + parent::setUp(); + $this->user = factory(User::class)->create(); + } + + #[Test] + public function appointment_stores_explicit_external_id_when_provided() + { + $externalId = Uuid::uuid4()->toString(); + + $appointment = Appointment::create([ + 'external_id' => $externalId, + 'title' => 'Test Appointment', + 'start_at' => now(), + 'end_at' => now()->addHour(), + 'user_id' => $this->user->id, + 'color' => '#FF0000', + 'source_type' => User::class, + 'source_id' => $this->user->id, + ]); + + $this->assertNotNull($appointment->external_id); + $this->assertNotEmpty($appointment->external_id); + $this->assertEquals($externalId, $appointment->external_id); + $this->assertMatchesRegularExpression( + '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/', + $appointment->external_id + ); + } + + #[Test] + public function appointment_preserves_provided_external_id() + { + $customExternalId = 'custom-appointment-uuid-6789'; + + $appointment = Appointment::create([ + 'external_id' => $customExternalId, + 'title' => 'Test Appointment', + 'start_at' => now(), + 'end_at' => now()->addHour(), + 'user_id' => $this->user->id, + 'color' => '#FF0000', + 'source_type' => User::class, + 'source_id' => $this->user->id, + ]); + + $this->assertEquals($customExternalId, $appointment->external_id); + } + + #[Test] + public function appointment_generates_unique_external_ids_for_each_record() + { + $appointment1 = Appointment::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'title' => 'Appointment One', + 'start_at' => now(), + 'end_at' => now()->addHour(), + 'user_id' => $this->user->id, + 'color' => '#FF0000', + 'source_type' => User::class, + 'source_id' => $this->user->id, + ]); + + $appointment2 = Appointment::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'title' => 'Appointment Two', + 'start_at' => now()->addDay(), + 'end_at' => now()->addDay()->addHour(), + 'user_id' => $this->user->id, + 'color' => '#00FF00', + 'source_type' => User::class, + 'source_id' => $this->user->id, + ]); + + $this->assertNotEquals($appointment1->external_id, $appointment2->external_id); + } + + #[Test] + public function appointment_factory_creates_record_with_external_id() + { + $appointment = factory(Appointment::class)->create([ + 'user_id' => $this->user->id, + 'source_type' => User::class, + 'source_id' => $this->user->id, + 'color' => '#FFFFFF', + ]); + + $this->assertNotNull($appointment->external_id); + $this->assertDatabaseHas('appointments', [ + 'id' => $appointment->id, + 'external_id' => $appointment->external_id, + ]); + } +}
tests/Unit/Models/ClientModelTest.php+113 −0 added@@ -0,0 +1,113 @@ +<?php + +namespace Tests\Unit\Models; + +use App\Models\Client; +use App\Models\Contact; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +class ClientModelTest extends TestCase +{ + use DatabaseTransactions; + + #[Test] + public function getPrimaryContactAttribute_returns_null_when_no_contacts_exist() + { + $client = factory(Client::class)->create(); + // Remove any contacts created by the factory afterCreating hook + $client->contacts()->forceDelete(); + + $this->assertNull($client->primaryContact); + } + + #[Test] + public function getPrimaryContactAttribute_returns_null_when_no_primary_contact() + { + $client = factory(Client::class)->create(); + // Remove contacts created by factory, then add one that is NOT primary + $client->contacts()->forceDelete(); + + factory(Contact::class)->create([ + 'client_id' => $client->id, + 'is_primary' => false, + ]); + + $this->assertNull($client->primaryContact); + } + + #[Test] + public function getPrimaryContactAttribute_returns_primary_contact_when_one_exists() + { + $client = factory(Client::class)->create(); + $client->contacts()->forceDelete(); + + $primaryContact = factory(Contact::class)->create([ + 'client_id' => $client->id, + 'is_primary' => true, + ]); + + $result = $client->primaryContact; + + $this->assertNotNull($result); + $this->assertInstanceOf(Contact::class, $result); + $this->assertEquals($primaryContact->id, $result->id); + } + + #[Test] + public function getPrimaryContactAttribute_returns_only_the_primary_contact_when_multiple_contacts_exist() + { + $client = factory(Client::class)->create(); + $client->contacts()->forceDelete(); + + $primaryContact = factory(Contact::class)->create([ + 'client_id' => $client->id, + 'is_primary' => true, + ]); + + factory(Contact::class)->create([ + 'client_id' => $client->id, + 'is_primary' => false, + ]); + + $result = $client->primaryContact; + + $this->assertNotNull($result); + $this->assertEquals($primaryContact->id, $result->id); + $this->assertTrue((bool) $result->is_primary); + } + + #[Test] + public function primaryContact_magic_attribute_is_accessible_via_correct_camelCase_method_name() + { + $client = factory(Client::class)->create(); + $client->contacts()->forceDelete(); + + $primaryContact = factory(Contact::class)->create([ + 'client_id' => $client->id, + 'is_primary' => true, + ]); + + // Verify the attribute is accessible via `$client->primaryContact` + // (tests the getPrimaryContactAttribute method name capitalization fix) + $this->assertEquals($primaryContact->id, $client->primaryContact->id); + + // Also verify via fresh load from DB to ensure it works consistently + $freshClient = Client::find($client->id); + $this->assertEquals($primaryContact->id, $freshClient->primaryContact->id); + } + + #[Test] + public function getPrimaryContactAttribute_returns_null_on_fresh_client_without_contacts() + { + // Regression: before the fix, calling ->primaryContact on a client without + // contacts would throw "Attempt to read property on null" + $client = factory(Client::class)->create(); + $client->contacts()->forceDelete(); + + // Should return null, not throw an exception + $result = $client->fresh()->primaryContact; + $this->assertNull($result); + } +} \ No newline at end of file
tests/Unit/Models/DocumentModelBootTest.php+131 −0 added@@ -0,0 +1,131 @@ +<?php + +namespace Tests\Unit\Models; + +use App\Models\Client; +use App\Models\Document; +use App\Models\Task; +use App\Models\User; +use Illuminate\Database\Eloquent\Relations\MorphTo; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Test; +use Ramsey\Uuid\Uuid; +use Tests\TestCase; + +class DocumentModelBootTest extends TestCase +{ + use DatabaseTransactions; + + private User $user; + + private Client $client; + + protected function setUp(): void + { + parent::setUp(); + $this->user = factory(User::class)->create(); + $this->client = factory(Client::class)->create(['user_id' => $this->user->id]); + } + + #[Test] + public function document_stores_explicit_external_id_when_provided() + { + $externalId = Uuid::uuid4()->toString(); + + $document = Document::create([ + 'external_id' => $externalId, + 'size' => 1.5, + 'path' => '/path/to/file.pdf', + 'original_filename' => 'file.pdf', + 'mime' => 'application/pdf', + 'integration_type' => 'local', + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $this->assertNotNull($document->external_id); + $this->assertNotEmpty($document->external_id); + $this->assertEquals($externalId, $document->external_id); + $this->assertMatchesRegularExpression( + '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/', + $document->external_id + ); + } + + #[Test] + public function document_preserves_provided_external_id() + { + $customExternalId = 'custom-document-uuid-abcd'; + + $document = Document::create([ + 'external_id' => $customExternalId, + 'size' => 1.5, + 'path' => '/path/to/file.pdf', + 'original_filename' => 'file.pdf', + 'mime' => 'application/pdf', + 'integration_type' => 'local', + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $this->assertEquals($customExternalId, $document->external_id); + } + + #[Test] + public function document_generates_unique_external_ids_for_each_record() + { + $document1 = Document::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'size' => 1.0, + 'path' => '/path/to/file1.pdf', + 'original_filename' => 'file1.pdf', + 'mime' => 'application/pdf', + 'integration_type' => 'local', + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $document2 = Document::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'size' => 2.0, + 'path' => '/path/to/file2.pdf', + 'original_filename' => 'file2.pdf', + 'mime' => 'application/pdf', + 'integration_type' => 'local', + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $this->assertNotEquals($document1->external_id, $document2->external_id); + } + + #[Test] + public function document_has_sourceable_morph_to_relationship() + { + $document = factory(Document::class)->create([ + 'source_type' => Client::class, + 'source_id' => $this->client->id, + ]); + + $relationship = $document->sourceable(); + + $this->assertInstanceOf(MorphTo::class, $relationship); + $this->assertTrue(method_exists($document, 'sourceable')); + } + + #[Test] + public function document_factory_creates_record_with_external_id() + { + $task = factory(Task::class)->create(); + $document = factory(Document::class)->create([ + 'source_type' => Task::class, + 'source_id' => $task->id, + ]); + + $this->assertNotNull($document->external_id); + $this->assertDatabaseHas('documents', [ + 'id' => $document->id, + 'external_id' => $document->external_id, + ]); + } +}
tests/Unit/Models/InvoiceLineModelBootTest.php+99 −0 added@@ -0,0 +1,99 @@ +<?php + +namespace Tests\Unit\Models; + +use App\Models\Invoice; +use App\Models\InvoiceLine; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Test; +use Ramsey\Uuid\Uuid; +use Tests\TestCase; + +class InvoiceLineModelBootTest extends TestCase +{ + use DatabaseTransactions; + + #[Test] + public function invoice_line_stores_explicit_external_id_when_provided() + { + $invoice = factory(Invoice::class)->create(); + $externalId = Uuid::uuid4()->toString(); + + $invoiceLine = InvoiceLine::create([ + 'external_id' => $externalId, + 'title' => 'Test Line Item', + 'comment' => 'Test comment', + 'type' => 'hours', + 'quantity' => 2, + 'price' => 1000, + 'invoice_id' => $invoice->id, + ]); + + $this->assertNotNull($invoiceLine->external_id); + $this->assertNotEmpty($invoiceLine->external_id); + $this->assertEquals($externalId, $invoiceLine->external_id); + $this->assertMatchesRegularExpression( + '/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', + $invoiceLine->external_id + ); + } + + #[Test] + public function invoice_line_preserves_provided_external_id() + { + $invoice = factory(Invoice::class)->create(); + $customExternalId = 'custom-invoice-line-uuid-xyz'; + + $invoiceLine = InvoiceLine::create([ + 'external_id' => $customExternalId, + 'title' => 'Test Line Item', + 'comment' => 'Test comment', + 'type' => 'pieces', + 'quantity' => 5, + 'price' => 500, + 'invoice_id' => $invoice->id, + ]); + + $this->assertEquals($customExternalId, $invoiceLine->external_id); + } + + #[Test] + public function invoice_line_generates_unique_external_ids_for_each_record() + { + $invoice = factory(Invoice::class)->create(); + + $line1 = InvoiceLine::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'title' => 'Line Item One', + 'comment' => 'First comment', + 'type' => 'hours', + 'quantity' => 1, + 'price' => 100, + 'invoice_id' => $invoice->id, + ]); + + $line2 = InvoiceLine::create([ + 'external_id' => Uuid::uuid4()->toString(), + 'title' => 'Line Item Two', + 'comment' => 'Second comment', + 'type' => 'days', + 'quantity' => 2, + 'price' => 200, + 'invoice_id' => $invoice->id, + ]); + + $this->assertNotEquals($line1->external_id, $line2->external_id); + } + + #[Test] + public function invoice_line_factory_creates_record_with_external_id() + { + $invoiceLine = factory(InvoiceLine::class)->create(); + + $this->assertNotNull($invoiceLine->external_id); + $this->assertDatabaseHas('invoice_lines', [ + 'id' => $invoiceLine->id, + 'external_id' => $invoiceLine->external_id, + ]); + } +}
tests/Unit/Repositories/RoleRepositoryTest.php+119 −0 added@@ -0,0 +1,119 @@ +<?php + +namespace Tests\Unit\Repositories; + +use App\Models\Role; +use App\Repositories\Role\RoleRepository; +use Illuminate\Foundation\Testing\DatabaseTransactions; +use PHPUnit\Framework\Attributes\Group; +use PHPUnit\Framework\Attributes\Test; +use Tests\TestCase; + +/** + * Tests for RoleRepository::allRoles() after the syntax fix. + * The fix changed Role::all('display_name', 'id', 'name', 'external_id') + * to Role::all(['display_name', 'id', 'name', 'external_id']), + * which is the correct Eloquent syntax for selecting specific columns. + */ +#[Group('repository')] +class RoleRepositoryTest extends TestCase +{ + use DatabaseTransactions; + + private RoleRepository $repository; + + protected function setUp(): void + { + parent::setUp(); + $this->repository = new RoleRepository; + } + + #[Test] + public function allRoles_excludes_owner_role() + { + $roles = $this->repository->allRoles(); + + $roleNames = $roles->pluck('name')->toArray(); + $this->assertNotContains('owner', $roleNames, 'allRoles() should not include the owner role'); + } + + #[Test] + public function allRoles_returns_roles_with_required_columns() + { + $roles = $this->repository->allRoles(); + + $this->assertNotEmpty($roles, 'allRoles() should return at least one role'); + + foreach ($roles as $role) { + // Verify the fix: Role::all(['column1', 'column2', ...]) correctly selects these columns + $this->assertNotNull($role->display_name, 'Role should have display_name'); + $this->assertNotNull($role->id, 'Role should have id'); + $this->assertNotNull($role->name, 'Role should have name'); + } + } + + #[Test] + public function allRoles_returns_collection_of_role_models() + { + $roles = $this->repository->allRoles(); + + foreach ($roles as $role) { + $this->assertInstanceOf(Role::class, $role, 'Each item should be a Role model'); + } + } + + #[Test] + public function allRoles_includes_administrator_role() + { + $roles = $this->repository->allRoles(); + $roleNames = $roles->pluck('name')->toArray(); + + $this->assertContains('administrator', $roleNames, 'allRoles() should include administrator role'); + } + + #[Test] + public function listAllRoles_returns_display_names_keyed_by_id() + { + $roles = $this->repository->listAllRoles(); + + $this->assertNotEmpty($roles); + + // Verify the result is a key-value map of id => display_name + foreach ($roles as $id => $displayName) { + $this->assertIsInt($id); + $this->assertIsString($displayName); + } + } + + #[Test] + public function listAllRoles_does_not_include_owner() + { + $roles = $this->repository->listAllRoles(); + $displayNames = $roles->toArray(); + + $ownerRole = Role::where('name', 'owner')->first(); + if ($ownerRole) { + $this->assertArrayNotHasKey($ownerRole->id, $displayNames, 'listAllRoles() should not include the owner role'); + } + + $this->assertNotContains('Owner', $displayNames); + } + + #[Test] + public function allRoles_is_not_broken_by_column_selection_fix() + { + // Regression: before the fix, passing columns as individual arguments + // (Role::all('display_name', 'id', ...)) would not work as expected in + // Eloquent — it would ignore columns and return all. The fix uses array + // syntax (Role::all(['display_name', 'id', ...])) which is correct. + // This test verifies the fix doesn't break the method. + $roles = $this->repository->allRoles(); + + // Method should return a valid non-empty filterable collection + $this->assertGreaterThanOrEqual(1, $roles->count(), 'Should return at least 1 non-owner role'); + + // The returned roles should be filterable (i.e., they're Eloquent models, not raw data) + $filtered = $roles->filter(fn ($r) => $r->name !== 'owner'); + $this->assertEquals($roles->count(), $filtered->count(), 'allRoles() already filters owner so re-filtering changes nothing'); + } +} \ No newline at end of file
Vulnerability mechanics
Root cause
"The `view` function in `DocumentsController.php` lacks ownership checks, allowing any authenticated user to access any document."
Attack vector
An attacker with authenticated access to the system can craft a request to the `view` function, providing the `external_id` of a document they are not authorized to access. This bypasses authorization checks, allowing the attacker to view or download sensitive documents belonging to other users. The attack can be launched remotely over the network.
Affected code
The vulnerability resides in the `view` function within the file `app/Http/Controllers/DocumentsController.php`, specifically on lines 29-60. The `download` method in the same file is also affected by this issue.
What the fix does
The advisory recommends adding ownership and permission checks to the `view()` and `download()` methods within `DocumentsController.php`. This involves implementing a secure comparison pattern similar to the `upload()` and `destroy()` methods in the same controller, which correctly verify user permissions before granting access to documents. This ensures that only authorized users can view or download specific documents.
Preconditions
- authThe attacker must have authenticated access to the system.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7News mentions
0No linked articles in our index yet.