fix(security): prevent payment gateway credentials leakage via OrderResource
This commit is contained in:
xboard
@@ -25,7 +25,7 @@ class PaymentController extends Controller
|
||||
|
||||
public function fetch()
|
||||
{
|
||||
$payments = Payment::orderBy('sort', 'ASC')->get();
|
||||
$payments = Payment::orderBy('sort', 'ASC')->get()->makeVisible('config');
|
||||
foreach ($payments as $k => $v) {
|
||||
$notifyUrl = url("/api/v1/guest/payment/notify/{$v->payment}/{$v->uuid}");
|
||||
if ($v->notify_domain) {
|
||||
|
||||
@@ -23,6 +23,12 @@ class OrderResource extends JsonResource
|
||||
...parent::toArray($request),
|
||||
'period' => PlanService::getLegacyPeriod((string)$this->period),
|
||||
'plan' => $this->whenLoaded('plan', fn() => PlanResource::make($this->plan)),
|
||||
'payment' => $this->whenLoaded('payment', fn() => $this->payment ? [
|
||||
'id' => $this->payment->id,
|
||||
'name' => $this->payment->name,
|
||||
'payment' => $this->payment->payment,
|
||||
'icon' => $this->payment->icon,
|
||||
] : null),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,4 +15,8 @@ class Payment extends Model
|
||||
'config' => 'array',
|
||||
'enable' => 'boolean'
|
||||
];
|
||||
|
||||
protected $hidden = [
|
||||
'config',
|
||||
];
|
||||
}
|
||||
|
||||
@@ -29,14 +29,14 @@ class PaymentService
|
||||
if (!$paymentModel) {
|
||||
throw new ApiException('payment not found');
|
||||
}
|
||||
$payment = $paymentModel->toArray();
|
||||
$payment = $paymentModel->makeVisible('config')->toArray();
|
||||
}
|
||||
if ($uuid) {
|
||||
$paymentModel = Payment::where('uuid', $uuid)->first();
|
||||
if (!$paymentModel) {
|
||||
throw new ApiException('payment not found');
|
||||
}
|
||||
$payment = $paymentModel->toArray();
|
||||
$payment = $paymentModel->makeVisible('config')->toArray();
|
||||
}
|
||||
|
||||
$this->config = [];
|
||||
|
||||
Reference in New Issue
Block a user