fix: prevent IDOR in transfer store — verify pengurus owns dari_ibadah

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
GuavaPopper
2026-06-05 04:59:01 +07:00
parent 652bcb102d
commit 64f3427d4e
@@ -48,6 +48,15 @@ class TransferController extends Controller
'id_rumah' => 'required|string|exists:rumah_miskin,id_rumah',
'alasan' => 'required|string|max:1000',
]);
// Pengurus hanya boleh mengajukan dari ibadah yang mereka kelola
$user = auth()->user();
if (!$user->hasRole('administrator')) {
$ownedIds = RumahIbadah::where('user_id', $user->id)->pluck('id');
if (!$ownedIds->contains((int) $validated['dari_ibadah_id'])) {
return response()->json(['message' => 'Tidak berhak mengajukan transfer dari ibadah ini'], 403);
}
}
$permohonan = PermohonanTransfer::create([
...$validated,
'diajukan_oleh' => auth()->id(),