From ccd00caa70b0451e523e1239acbfee69cb637c81 Mon Sep 17 00:00:00 2001
From: Robert Spadaro <squintfox@users.noreply.github.com>
Date: Wed, 27 Mar 2024 15:36:00 -0400
Subject: [PATCH] Wrap where logic in additional where statement to protect
 appended params

---
 app/Http/Controllers/Api/ReportsController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Api/ReportsController.php b/app/Http/Controllers/Api/ReportsController.php
index 3c1faa1031..fbeb78fc8f 100644
--- a/app/Http/Controllers/Api/ReportsController.php
+++ b/app/Http/Controllers/Api/ReportsController.php
@@ -32,13 +32,16 @@ class ReportsController extends Controller
         }
 
         if (($request->filled('item_type')) && ($request->filled('item_id'))) {
-            $actionlogs = $actionlogs->where('item_id', '=', $request->input('item_id'))
+            $actionlogs = $actionlogs->where(function($query) use ($request)
+            {
+                $query->where('item_id', '=', $request->input('item_id'))
                 ->where('item_type', '=', 'App\\Models\\'.ucwords($request->input('item_type')))
                 ->orWhere(function($query) use ($request)
                 {
                     $query->where('target_id', '=', $request->input('item_id'))
                     ->where('target_type', '=', 'App\\Models\\'.ucwords($request->input('item_type')));
                 });
+            });
         }
 
         if ($request->filled('action_type')) {