Cannabrands/hub
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow super admins to access all fulfillment work orders

Browse Source 
Updated authorization checks in FulfillmentWorkOrderController to bypass
business ownership verification for users with super-admin role.

This allows platform admins to view and manage work orders across all
businesses. Future RBAC enhancements will provide more granular control.

Also backfilled seller_business_id for 6 existing orders that were
missing this field (created before multi-business checkout was added).
This commit is contained in:
Jon Leopard
2025-11-20 15:22:24 -07:00
parent f2b1ceebe9
commit f899e5f8cb
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/Http/Controllers/Seller/FulfillmentWorkOrderController.php
View File

@@ -59,8 +59,8 @@ class FulfillmentWorkOrderController extends Controller
{
$business = $request->user()->businesses()->first();
// Ensure work order belongs to seller's business
if ($workOrder->order->seller_business_id !== $business->id) {
// Ensure work order belongs to seller's business (super admins can access everything)
if (! $request->user()->hasRole('super-admin') && $workOrder->order->seller_business_id !== $business->id) {
abort(403, 'Unauthorized access to work order');
}
@@ -81,7 +81,8 @@ class FulfillmentWorkOrderController extends Controller
$business = $request->user()->businesses()->first();
if ($workOrder->order->seller_business_id !== $business->id) {
// Verify authorization (super admins can access everything)
if (! $request->user()->hasRole('super-admin') && $workOrder->order->seller_business_id !== $business->id) {
abort(403);
}
@@ -102,8 +103,8 @@ class FulfillmentWorkOrderController extends Controller
{
$business = $request->user()->businesses()->first();
// Verify authorization
if ($workOrder->order->seller_business_id !== $business->id) {
// Verify authorization (super admins can access everything)
if (! $request->user()->hasRole('super-admin') && $workOrder->order->seller_business_id !== $business->id) {
abort(403, 'Unauthorized access to work order');
}