Skip to content

Add the option to download a invoice #1156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lodewiges wants to merge 4 commits into
base: staging
Choose a base branch
from
Open

Add the option to download a invoice #1156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ea9ad68
add the option to download a invoice
lodewiges Dec 8, 2025
bd4e0c2
fix the button not working
lodewiges Dec 16, 2025
1bf837d
add better authorization
lodewiges Dec 16, 2025
1af980c
fix lint
lodewiges Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions app/controllers/invoices_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,11 @@ def index

def show
@invoice = invoice
token_based_access = !integer_id?(params[:id])

respond_to do |format|
format.html
format.pdf do
render pdf: "Factuur #{@invoice.human_id}",
template: 'invoices/show.html.erb',
lowquality: true
end
format.pdf { render_invoice_pdf(token_based_access) }
end
end

Expand Down Expand Up @@ -73,6 +70,13 @@ def send_invoice

private

def integer_id?(id)
Integer(id)
true
rescue ArgumentError
false
end

def invoice
@invoice = Invoice.find(Integer(params[:id]))
authorize @invoice
Expand All @@ -83,4 +87,14 @@ def invoice
def permitted_attributes
params.require(:invoice).permit(%i[user_id activity_id name_override email_override rows], rows_attributes: %i[name amount price])
end

def render_invoice_pdf(token_based_access)
authorize @invoice, :download? unless token_based_access

render pdf: "Factuur #{@invoice.human_id}",
template: 'invoices/show',
formats: [:html],
layout: 'pdf',
lowquality: true
end
end
4 changes: 4 additions & 0 deletions app/policies/invoice_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ def send_invoice?
user&.treasurer?
end

def download?
user&.treasurer?
end

def pay?
show?
end
Expand Down
8 changes: 8 additions & 0 deletions app/views/invoices/index.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@
<% if policy(Invoice).send_invoice? %>
<th scope="col">Verstuur</th>
<% end %>
<% if policy(Invoice).download? %>
<th scope="col">Download</th>
<% end %>
</tr>
</thead>
<tbody class="table-group-divider">
Expand Down Expand Up @@ -77,6 +80,11 @@
<% end %>
</td>
<% end %>
<% if policy(Invoice).download? %>
<td>
<%= link_to 'Downloaden', invoice_path(invoice, format: :pdf), class: 'btn btn-primary', download: "Factuur-#{invoice.human_id}.pdf" %>
</td>
Comment on lines +84 to +86
Copy link

Copilot AI Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The download link is placed inside the policy(Invoice).send_invoice? block, which restricts it to users with the treasurer role. However, the show action in the controller (which handles PDF downloads) doesn't require this same authorization level - it's accessible to anyone who can view an invoice (via ID with proper authorization or via token).

This creates an inconsistency where:

  • Treasurers can download invoices from the index page
  • Renting managers can view the index page but cannot download from it
  • Anyone with an invoice token can download the PDF directly via the show URL

Consider whether the download button should be available to all users who can access the index page (treasurers and renting managers), or if PDF downloads should be restricted to treasurers only. If the latter, authorization should be added to the show action for PDF format requests.

Copilot uses AI. Check for mistakes.
<% end %>
</tr>
<% end %>
</tbody>
Expand Down