Add the where company_id filter to accounts and payments queries
I actually did not forget them, and i did not add them on purpose, mistakenly believing that PostgreSQL’s row-level policies would project only rows from the current company. That is actually how Camper works, but that’s because we use the request’s domain name to select the company; here we use the path, and the row-level policy would return rows from all companies the user belongs to.
This commit is contained in:
parent
f95936c523
commit
7f21a2131e
|
|
@ -19,9 +19,10 @@ const (
|
|||
|
||||
func servePaymentAccountIndex(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
|
||||
conn := getConn(r)
|
||||
company := mustGetCompany(r)
|
||||
locale := getLocale(r)
|
||||
|
||||
page := NewPaymentAccountIndexPage(r.Context(), conn, locale)
|
||||
page := NewPaymentAccountIndexPage(r.Context(), conn, company, locale)
|
||||
page.MustRender(w, r)
|
||||
}
|
||||
|
||||
|
|
@ -29,9 +30,9 @@ type PaymentAccountIndexPage struct {
|
|||
Accounts []*PaymentAccountEntry
|
||||
}
|
||||
|
||||
func NewPaymentAccountIndexPage(ctx context.Context, conn *Conn, locale *Locale) *PaymentAccountIndexPage {
|
||||
func NewPaymentAccountIndexPage(ctx context.Context, conn *Conn, company *Company, locale *Locale) *PaymentAccountIndexPage {
|
||||
return &PaymentAccountIndexPage{
|
||||
Accounts: mustCollectPaymentAccountEntries(ctx, conn, locale),
|
||||
Accounts: mustCollectPaymentAccountEntries(ctx, conn, company, locale),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -50,7 +51,7 @@ type PaymentAccountEntry struct {
|
|||
ExpirationDate string
|
||||
}
|
||||
|
||||
func mustCollectPaymentAccountEntries(ctx context.Context, conn *Conn, locale *Locale) []*PaymentAccountEntry {
|
||||
func mustCollectPaymentAccountEntries(ctx context.Context, conn *Conn, company *Company, locale *Locale) []*PaymentAccountEntry {
|
||||
rows := conn.MustQuery(ctx, `
|
||||
select payment_account_id
|
||||
, slug
|
||||
|
|
@ -65,8 +66,9 @@ func mustCollectPaymentAccountEntries(ctx context.Context, conn *Conn, locale *L
|
|||
left join payment_account_card using (payment_account_id, payment_account_type)
|
||||
join payment_account_type using (payment_account_type)
|
||||
left join payment_account_type_i18n as i18n on payment_account_type.payment_account_type = i18n.payment_account_type and i18n.lang_tag = $1
|
||||
where company_id = $2
|
||||
order by payment_account_id
|
||||
`, locale.Language.String())
|
||||
`, locale.Language.String(), company.Id)
|
||||
defer rows.Close()
|
||||
|
||||
var entries []*PaymentAccountEntry
|
||||
|
|
|
|||
|
|
@ -12,9 +12,10 @@ import (
|
|||
|
||||
func servePaymentIndex(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
|
||||
conn := getConn(r)
|
||||
company := mustGetCompany(r)
|
||||
locale := getLocale(r)
|
||||
|
||||
page := NewPaymentIndexPage(r.Context(), conn, locale)
|
||||
page := NewPaymentIndexPage(r.Context(), conn, company, locale)
|
||||
page.MustRender(w, r)
|
||||
}
|
||||
|
||||
|
|
@ -22,9 +23,9 @@ type PaymentIndexPage struct {
|
|||
Payments []*PaymentEntry
|
||||
}
|
||||
|
||||
func NewPaymentIndexPage(ctx context.Context, conn *Conn, locale *Locale) *PaymentIndexPage {
|
||||
func NewPaymentIndexPage(ctx context.Context, conn *Conn, company *Company, locale *Locale) *PaymentIndexPage {
|
||||
return &PaymentIndexPage{
|
||||
Payments: mustCollectPaymentEntries(ctx, conn, locale),
|
||||
Payments: mustCollectPaymentEntries(ctx, conn, company, locale),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -44,7 +45,7 @@ type PaymentEntry struct {
|
|||
StatusLabel string
|
||||
}
|
||||
|
||||
func mustCollectPaymentEntries(ctx context.Context, conn *Conn, locale *Locale) []*PaymentEntry {
|
||||
func mustCollectPaymentEntries(ctx context.Context, conn *Conn, company *Company, locale *Locale) []*PaymentEntry {
|
||||
rows := conn.MustQuery(ctx, `
|
||||
select payment_id
|
||||
, payment.slug
|
||||
|
|
@ -59,8 +60,9 @@ func mustCollectPaymentEntries(ctx context.Context, conn *Conn, locale *Locale)
|
|||
join payment_status_i18n psi18n on payment.payment_status = psi18n.payment_status and psi18n.lang_tag = $1
|
||||
join currency using (currency_code)
|
||||
left join payment_attachment as attachment using (payment_id)
|
||||
where company_id = $2
|
||||
order by payment_date desc, total desc
|
||||
`, locale.Language)
|
||||
`, locale.Language, company.Id)
|
||||
defer rows.Close()
|
||||
|
||||
var entries []*PaymentEntry
|
||||
|
|
@ -132,7 +134,7 @@ func newPaymentForm(ctx context.Context, conn *Conn, locale *Locale, company *Co
|
|||
Name: "payment_account",
|
||||
Label: pgettext("input", "Account", locale),
|
||||
Required: true,
|
||||
Options: MustGetOptions(ctx, conn, "select payment_account_id::text, name from payment_account order by name"),
|
||||
Options: MustGetOptions(ctx, conn, "select payment_account_id::text, name from payment_account where company_id = $1 order by name", company.Id),
|
||||
},
|
||||
Amount: &InputField{
|
||||
Name: "amount",
|
||||
|
|
|
|||
Loading…
Reference in New Issue