Closed sebastiaanspeck closed 1 year ago
RocketC31
commented
1 year ago On single we check because we load by the id. So... If we not check we can load and remove the transaction of an other one
But in purge all. We make a eloquent request that take ONLY the transactions in trash for OUR space, so not possible to remove the transactions of others
RocketC31
commented
1 year ago Hi @sebastiaanspeck i will make a release this evening for that with the fixes we will possibly make today. Because this is not good if we cant remove or restore transactions
sebastiaanspeck
commented
1 year ago On single we check because we load by the id. So... If we not check we can load and remove the transaction of an other one
But in purge all. We make a eloquent request that take ONLY the transactions in trash for OUR space, so not possible to remove the transactions of others
Thanks for the explanation. I couldn't debug that much right now. I was just looking at the code on my phone.
When clicking on purge_all on the trash page for transactions, I get a 403 - Not Authorized.
When clicking on a single purge on the trash page for transactions, I get a 404 - Not Found.
When looking into the logic for purge/purge_all, it raised a question. Why do we check when a single purge is done if the record belongs to the user, but when we purge_all, we just delete all without checking if the record belongs to the user.