From 2dad27eed623da45b241956856171619f901a1d2 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 11:46:14 -0800 Subject: [PATCH 1/7] Added additional gate for selectlists Signed-off-by: snipe --- .../Controllers/Api/AssetModelsController.php | 1 + .../Controllers/Api/CategoriesController.php | 2 +- .../Controllers/Api/CompaniesController.php | 2 +- .../Controllers/Api/DepartmentsController.php | 1 + .../Controllers/Api/LocationsController.php | 2 ++ .../Api/ManufacturersController.php | 1 + .../Controllers/Api/SuppliersController.php | 2 ++ app/Providers/AuthServiceProvider.php | 19 ++++++++++++++++++- 8 files changed, 27 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Api/AssetModelsController.php b/app/Http/Controllers/Api/AssetModelsController.php index 95af6fbe5af2..120c4344b0ff 100644 --- a/app/Http/Controllers/Api/AssetModelsController.php +++ b/app/Http/Controllers/Api/AssetModelsController.php @@ -234,6 +234,7 @@ public function destroy($id) public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $assetmodels = AssetModel::select([ 'models.id', 'models.name', diff --git a/app/Http/Controllers/Api/CategoriesController.php b/app/Http/Controllers/Api/CategoriesController.php index 9b4fa51349a5..500449067696 100644 --- a/app/Http/Controllers/Api/CategoriesController.php +++ b/app/Http/Controllers/Api/CategoriesController.php @@ -148,7 +148,7 @@ public function destroy($id) */ public function selectlist(Request $request, $category_type = 'asset') { - + $this->authorize('view.selectlists'); $categories = Category::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/CompaniesController.php b/app/Http/Controllers/Api/CompaniesController.php index 8b471f27b362..baf740dfcb17 100644 --- a/app/Http/Controllers/Api/CompaniesController.php +++ b/app/Http/Controllers/Api/CompaniesController.php @@ -159,7 +159,7 @@ public function destroy($id) */ public function selectlist(Request $request) { - + $this->authorize('view.selectlists'); $companies = Company::select([ 'companies.id', 'companies.name', diff --git a/app/Http/Controllers/Api/DepartmentsController.php b/app/Http/Controllers/Api/DepartmentsController.php index 04b806d406de..e48a3df8390a 100644 --- a/app/Http/Controllers/Api/DepartmentsController.php +++ b/app/Http/Controllers/Api/DepartmentsController.php @@ -168,6 +168,7 @@ public function destroy($id) public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $departments = Department::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/LocationsController.php b/app/Http/Controllers/Api/LocationsController.php index 6d70e7aaf180..ec91310e6f00 100644 --- a/app/Http/Controllers/Api/LocationsController.php +++ b/app/Http/Controllers/Api/LocationsController.php @@ -223,6 +223,8 @@ public function destroy($id) public function selectlist(Request $request) { + $this->authorize('view.selectlists'); + $locations = Location::select([ 'locations.id', 'locations.name', diff --git a/app/Http/Controllers/Api/ManufacturersController.php b/app/Http/Controllers/Api/ManufacturersController.php index 0301ae587c7b..5fa4560fe642 100644 --- a/app/Http/Controllers/Api/ManufacturersController.php +++ b/app/Http/Controllers/Api/ManufacturersController.php @@ -155,6 +155,7 @@ public function destroy($id) public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $manufacturers = Manufacturer::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/SuppliersController.php b/app/Http/Controllers/Api/SuppliersController.php index 54784a4e3736..d04bb61f03ed 100644 --- a/app/Http/Controllers/Api/SuppliersController.php +++ b/app/Http/Controllers/Api/SuppliersController.php @@ -155,6 +155,8 @@ public function destroy($id) public function selectlist(Request $request) { + $this->authorize('view.selectlists'); + $suppliers = Supplier::select([ 'id', 'name', diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index b24df173c310..dacdeed9cc65 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -156,6 +156,8 @@ public function boot() return $user->hasAccess('self.checkout_assets'); }); + // This is largely used to determine whether to display the gear icon sidenav + // in the left-side navigation Gate::define('backend.interact', function ($user) { return $user->can('view', Statuslabel::class) || $user->can('view', AssetModel::class) @@ -168,7 +170,22 @@ public function boot() || $user->can('view', Manufacturer::class) || $user->can('view', CustomField::class) || $user->can('view', CustomFieldset::class) - || $user->can('view', Depreciation::class); + || $user->can('view', Depreciation::class); + }); + + + // This largely echoes the above backend.interact gate, but also determins + // whether or not an API user should be able tp get the selectlists. + // This can seema a little confusing, since view properties may not have been granted + // to the logged in API user, but creating assets, licenses, etc won't work + // if the user can't view and interact with the select lists. + Gate::define('view.selectlists', function ($user) { + return $user->can('view', Statuslabel::class) + || $user->can('view', Asset::class) + || $user->can('view', License::class) + || $user->can('view', Consumable::class) + || $user->can('view', Accessory::class) + || $user->can('view', User::class); }); } } From b30d1dce89a869219b33160c235d793e11c24b10 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 11:55:24 -0800 Subject: [PATCH 2/7] Removed selectlist Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index dacdeed9cc65..1b956650f822 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -180,8 +180,7 @@ public function boot() // to the logged in API user, but creating assets, licenses, etc won't work // if the user can't view and interact with the select lists. Gate::define('view.selectlists', function ($user) { - return $user->can('view', Statuslabel::class) - || $user->can('view', Asset::class) + return $user->can('view', Asset::class) || $user->can('view', License::class) || $user->can('view', Consumable::class) || $user->can('view', Accessory::class) From 5fafa81dc15a14225e974949bc37aa012719e601 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 11:57:29 -0800 Subject: [PATCH 3/7] Forgot components Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 1b956650f822..ce08c90cbee3 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -182,6 +182,7 @@ public function boot() Gate::define('view.selectlists', function ($user) { return $user->can('view', Asset::class) || $user->can('view', License::class) + || $user->can('view', Component::class) || $user->can('view', Consumable::class) || $user->can('view', Accessory::class) || $user->can('view', User::class); From 9226c8292d97e848ff9664a4ae6812f39ee668e3 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 12:02:14 -0800 Subject: [PATCH 4/7] Fixed typos in comments Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index ce08c90cbee3..2a0851d1e4fa 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -174,9 +174,8 @@ public function boot() }); - // This largely echoes the above backend.interact gate, but also determins - // whether or not an API user should be able tp get the selectlists. - // This can seema a little confusing, since view properties may not have been granted + // This determines whether or not an API user should be able to get the selectlists. + // This can seem a little confusing, since view properties may not have been granted // to the logged in API user, but creating assets, licenses, etc won't work // if the user can't view and interact with the select lists. Gate::define('view.selectlists', function ($user) { From c1a065384782fc01ea2591a7dda63f81774dc1aa Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 12:31:11 -0800 Subject: [PATCH 5/7] Restrict to update or create gate methods for select lists Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 2a0851d1e4fa..056d3eb5f009 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -179,12 +179,18 @@ public function boot() // to the logged in API user, but creating assets, licenses, etc won't work // if the user can't view and interact with the select lists. Gate::define('view.selectlists', function ($user) { - return $user->can('view', Asset::class) - || $user->can('view', License::class) - || $user->can('view', Component::class) - || $user->can('view', Consumable::class) - || $user->can('view', Accessory::class) - || $user->can('view', User::class); + return $user->can('update', Asset::class) + || $user->can('create', License::class) + || $user->can('update', License::class) + || $user->can('create', License::class) + || $user->can('update', Component::class) + || $user->can('create', Component::class) + || $user->can('update', Consumable::class) + || $user->can('create', Consumable::class) + || $user->can('update', Accessory::class) + || $user->can('create', Accessory::class) + || $user->can('update', User::class) + || $user->can('create', User::class); }); } } From 2c5abaaea44643436ab89aab9a2cd22df54a043f Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 12:32:09 -0800 Subject: [PATCH 6/7] Fixed copypasta Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 056d3eb5f009..a8e5a6245b39 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -180,7 +180,7 @@ public function boot() // if the user can't view and interact with the select lists. Gate::define('view.selectlists', function ($user) { return $user->can('update', Asset::class) - || $user->can('create', License::class) + || $user->can('create', Asset::class) || $user->can('update', License::class) || $user->can('create', License::class) || $user->can('update', Component::class) From d6b82223717780a9317de9b17d088d65081b8413 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 12:48:30 -0800 Subject: [PATCH 7/7] Refactor to combine permissions Signed-off-by: snipe --- app/Providers/AuthServiceProvider.php | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index a8e5a6245b39..6352e65dcb6d 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -179,18 +179,12 @@ public function boot() // to the logged in API user, but creating assets, licenses, etc won't work // if the user can't view and interact with the select lists. Gate::define('view.selectlists', function ($user) { - return $user->can('update', Asset::class) - || $user->can('create', Asset::class) - || $user->can('update', License::class) - || $user->can('create', License::class) - || $user->can('update', Component::class) - || $user->can('create', Component::class) - || $user->can('update', Consumable::class) - || $user->can('create', Consumable::class) - || $user->can('update', Accessory::class) - || $user->can('create', Accessory::class) - || $user->can('update', User::class) - || $user->can('create', User::class); + return $user->can(['create','update'], Asset::class) + || $user->can(['create','update'], License::class) + || $user->can(['create','update'], Component::class) + || $user->can(['create','update'], Consumable::class) + || $user->can(['create','update'], Accessory::class) + || $user->can(['create','update'], User::class); }); } }