Merge pull request #10662 from snipe/fixes/tighter_security_on_select…

…_lists

Added additional gate for selectlists

app/Http/Controllers/Api/AssetModelsController.php

@@ -234,6 +234,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $assetmodels = AssetModel::select([
             'models.id',
             'models.name',

app/Http/Controllers/Api/CategoriesController.php

@@ -148,7 +148,7 @@ public function destroy($id)
      */
     public function selectlist(Request $request, $category_type = 'asset')
     {
-
+        $this->authorize('view.selectlists');
         $categories = Category::select([
             'id',
             'name',

app/Http/Controllers/Api/CompaniesController.php

@@ -159,7 +159,7 @@ public function destroy($id)
      */
     public function selectlist(Request $request)
     {
-
+        $this->authorize('view.selectlists');
         $companies = Company::select([
             'companies.id',
             'companies.name',

app/Http/Controllers/Api/DepartmentsController.php

@@ -168,6 +168,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $departments = Department::select([
             'id',
             'name',

app/Http/Controllers/Api/LocationsController.php

@@ -223,6 +223,8 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
+
         $locations = Location::select([
             'locations.id',
             'locations.name',

app/Http/Controllers/Api/ManufacturersController.php

@@ -155,6 +155,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $manufacturers = Manufacturer::select([
             'id',
             'name',

app/Http/Controllers/Api/SuppliersController.php

@@ -155,6 +155,8 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
+
         $suppliers = Supplier::select([
             'id',
             'name',

app/Providers/AuthServiceProvider.php

@@ -156,6 +156,8 @@ public function boot()
             return $user->hasAccess('self.checkout_assets');
         });
 
+        // This is largely used to determine whether to display the gear icon sidenav 
+        // in the left-side navigation
         Gate::define('backend.interact', function ($user) {
             return $user->can('view', Statuslabel::class)
                 || $user->can('view', AssetModel::class)
@@ -168,7 +170,21 @@ public function boot()
                 || $user->can('view', Manufacturer::class)
                 || $user->can('view', CustomField::class)
                 || $user->can('view', CustomFieldset::class)                
-                || $user->can('view', Depreciation::class);
+                || $user->can('view', Depreciation::class); 
+        });
+
+
+        // This  determines whether or not an API user should be able to get the selectlists.
+        // This can seem a little confusing, since view properties may not have been granted
+        // to the logged in API user, but creating assets, licenses, etc won't work 
+        // if the user can't view and interact with the select lists.
+        Gate::define('view.selectlists', function ($user) {
+            return $user->can(['create','update'], Asset::class) 
+                || $user->can(['create','update'], License::class)   
+                || $user->can(['create','update'], Component::class)
+                || $user->can(['create','update'], Consumable::class)   
+                || $user->can(['create','update'], Accessory::class)   
+                || $user->can(['create','update'], User::class);   
         });
     }
 }