fix: prevent IDOR in transfer store — verify pengurus owns dari_ibadah
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -48,6 +48,15 @@ class TransferController extends Controller
|
||||
'id_rumah' => 'required|string|exists:rumah_miskin,id_rumah',
|
||||
'alasan' => 'required|string|max:1000',
|
||||
]);
|
||||
// Pengurus hanya boleh mengajukan dari ibadah yang mereka kelola
|
||||
$user = auth()->user();
|
||||
if (!$user->hasRole('administrator')) {
|
||||
$ownedIds = RumahIbadah::where('user_id', $user->id)->pluck('id');
|
||||
if (!$ownedIds->contains((int) $validated['dari_ibadah_id'])) {
|
||||
return response()->json(['message' => 'Tidak berhak mengajukan transfer dari ibadah ini'], 403);
|
||||
}
|
||||
}
|
||||
|
||||
$permohonan = PermohonanTransfer::create([
|
||||
...$validated,
|
||||
'diajukan_oleh' => auth()->id(),
|
||||
|
||||
Reference in New Issue
Block a user