From 88d28b5404ec572ffc86a0dd75ec5a3032e8e2c5 Mon Sep 17 00:00:00 2001
From: Vincent Vanwaelscappel <vincent@cubedesigners.com>
Date: Fri, 21 Apr 2023 19:20:51 +0200
Subject: [PATCH] wip #5873

---
 src/app/Operations/LoginasOperation.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/app/Operations/LoginasOperation.php b/src/app/Operations/LoginasOperation.php
index 55df875..baaa820 100644
--- a/src/app/Operations/LoginasOperation.php
+++ b/src/app/Operations/LoginasOperation.php
@@ -2,6 +2,7 @@
 
 namespace Cubedesigners\UserDatabase\Operations;
 
+use Cubedesigners\UserDatabase\Models\Company;
 use Cubedesigners\UserDatabase\Models\User;
 use Illuminate\Support\Facades\Route;
 
@@ -20,7 +21,15 @@ trait LoginasOperation
     protected function loginas($id)
     {
         set_time_limit(0);
-        $user = User::find($id);
+        /** @var User $user */
+        $user = User::where('id', $id)->where('enabled', '1')->first();
+        if (null === $user) {
+            abort(404);
+        }
+        $company = Company::find($user->company);
+        if (null === $company || !$company->toolbox_access) {
+            abort(404);
+        }
         if (!$this->canLoginas($user)) {
             abort(403);
         }
-- 
2.39.5