From 11a4cd86132eb33df7b9d67c947821cdea9dd261 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Thu, 29 Jun 2023 16:32:28 +1000
Subject: [PATCH] Protect invoicing against unauthorized use

This could be optimised for performance but this was the simplest way
and we can work on it if performance becomes a problem.
---
 app/controllers/spree/admin/invoices_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/spree/admin/invoices_controller.rb b/app/controllers/spree/admin/invoices_controller.rb
index b9dd01cdec..c304a63697 100644
--- a/app/controllers/spree/admin/invoices_controller.rb
+++ b/app/controllers/spree/admin/invoices_controller.rb
@@ -11,6 +11,9 @@ module Spree
       end
 
       def create
+        Spree::Order.where(id: params[:order_ids]).find_each do |order|
+          authorize! :invoice, order
+        end
         invoice_service = BulkInvoiceService.new
         invoice_service.start_pdf_job(params[:order_ids])
 
@@ -19,6 +22,8 @@ module Spree
 
       def generate
         @order = Order.find_by(number: params[:order_id])
+        authorize! :invoice, @order
+
         @comparator = OrderInvoiceComparator.new(@order)
         if @comparator.can_generate_new_invoice?
           @order.invoices.create!(