Skip to content

Commit aa5b679

Browse files
committed
fix: add authorization and validation to payment gateway return/cancel routes
Prevent payment bypass via None gateway by enforcing invoice ownership, pending status check, gateway status/paymethod validation, and minimum amount verification on the return route. Add ownership check to cancel.
1 parent 1aa77e3 commit aa5b679

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

app/Http/Controllers/Front/Billing/PaymentGatewayController.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,8 @@ public function notification(Request $request, string $gateway)
4343

4444
public function cancel(Invoice $invoice)
4545
{
46+
abort_unless($invoice->customer_id === auth('web')->id(), 403);
47+
4648
$invoice->cancel();
4749

4850
return redirect()->route('front.invoices.show', $invoice)->with('warning', __('global.invoice_was_cancelled'));
@@ -51,8 +53,14 @@ public function cancel(Invoice $invoice)
5153
public function return(Request $request, Invoice $invoice, string $gateway)
5254
{
5355
try {
56+
abort_unless($invoice->customer_id === auth('web')->id(), 403);
57+
abort_unless($invoice->status === Invoice::STATUS_PENDING, 403);
58+
5459
$gateway = Gateway::where('uuid', $gateway)->first();
5560
abort_if(! $gateway, 404);
61+
abort_if($gateway->status === 'hidden', 403);
62+
abort_if($invoice->paymethod !== $gateway->uuid, 403);
63+
abort_if($invoice->total < $gateway->minimal_amount, 403);
5664

5765
return $gateway->processPayment($invoice, $request);
5866
} catch (WrongPaymentException $e) {

0 commit comments

Comments
 (0)