fix: ajouter vérification de propriété sur PaymentMethodController::pay

FR-MaximeDev · FR-MaximeDev · commit 56eccff1b5ac · 2026-04-15T20:31:18.000+02:00
Empêche un utilisateur de déclencher un paiement sur la facture
d'un autre client via POST /client/payment-methods/pay/{invoice}.
diff --git a/app/Http/Controllers/Front/Billing/PaymentMethodController.php b/app/Http/Controllers/Front/Billing/PaymentMethodController.php
@@ -131,6 +131,8 @@ public function delete(Request $request, string $source)
 
     public function pay(Request $request, Invoice $invoice)
     {
+        abort_if($invoice->customer_id != auth()->id(), 404);
+
         $source = $request->get('paymentmethod', '');
         try {
             $source = $invoice->customer->getSourceById($source);

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,8 @@ public function delete(Request $request, string $source)`
`131`	`131`
`132`	`132`	`public function pay(Request $request, Invoice $invoice)`
`133`	`133`	`{`
	`134`	`+ abort_if($invoice->customer_id != auth()->id(), 404);`
	`135`	`+`
`134`	`136`	`$source = $request->get('paymentmethod', '');`
`135`	`137`	`try {`
`136`	`138`	`$source = $invoice->customer->getSourceById($source);`