From f83dad3dc90905b9f1f7173663cffa083d7ca8bf Mon Sep 17 00:00:00 2001
From: Benjamin Piouffle <benjamin@opencollective.com>
Date: Tue, 7 Oct 2025 16:21:07 +0200
Subject: [PATCH] enhancement(Expense): protect invoice reference ID

---
 server/graphql/common/expenses.ts   | 2 ++
 server/graphql/v2/object/Expense.ts | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/server/graphql/common/expenses.ts b/server/graphql/common/expenses.ts
index a5772e90394..5792fe4ab57 100644
--- a/server/graphql/common/expenses.ts
+++ b/server/graphql/common/expenses.ts
@@ -397,6 +397,8 @@ export const canSeeExpenseInvoiceInfo: ExpensePermissionEvaluator = async (
 ) => {
   if (!validateExpenseScope(req)) {
     return false;
+  } else if (getContextPermission(req, PERMISSION_TYPE.SEE_EXPENSE_DRAFT_PRIVATE_DETAILS, expense.id)) {
+    return true;
   }
 
   return remoteUserMeetsOneCondition(
diff --git a/server/graphql/v2/object/Expense.ts b/server/graphql/v2/object/Expense.ts
index a82b6d8f1d3..c73e4e55ff1 100644
--- a/server/graphql/v2/object/Expense.ts
+++ b/server/graphql/v2/object/Expense.ts
@@ -129,6 +129,11 @@ export const GraphQLExpense = new GraphQLObjectType<ExpenseModel, Express.Reques
       reference: {
         type: GraphQLString,
         description: 'User-provided reference number or any other identifier that references the invoice',
+        async resolve(expense, _, req) {
+          if (await ExpenseLib.canSeeExpenseInvoiceInfo(req, expense)) {
+            return expense.reference;
+          }
+        },
       },
       amount: {
         type: new GraphQLNonNull(GraphQLInt),