fix: prevent IDOR in transfer store — verify pengurus owns dari_ibadah
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -48,6 +48,15 @@ class TransferController extends Controller
|
|||||||
'id_rumah' => 'required|string|exists:rumah_miskin,id_rumah',
|
'id_rumah' => 'required|string|exists:rumah_miskin,id_rumah',
|
||||||
'alasan' => 'required|string|max:1000',
|
'alasan' => 'required|string|max:1000',
|
||||||
]);
|
]);
|
||||||
|
// Pengurus hanya boleh mengajukan dari ibadah yang mereka kelola
|
||||||
|
$user = auth()->user();
|
||||||
|
if (!$user->hasRole('administrator')) {
|
||||||
|
$ownedIds = RumahIbadah::where('user_id', $user->id)->pluck('id');
|
||||||
|
if (!$ownedIds->contains((int) $validated['dari_ibadah_id'])) {
|
||||||
|
return response()->json(['message' => 'Tidak berhak mengajukan transfer dari ibadah ini'], 403);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$permohonan = PermohonanTransfer::create([
|
$permohonan = PermohonanTransfer::create([
|
||||||
...$validated,
|
...$validated,
|
||||||
'diajukan_oleh' => auth()->id(),
|
'diajukan_oleh' => auth()->id(),
|
||||||
|
|||||||
Reference in New Issue
Block a user