Merge pull request #10498 from Haxatron/master

Fix access control

app/Http/Controllers/BulkAssetModelsController.php

@@ -32,6 +32,7 @@ public function edit(Request $request)
 
             // If deleting....
             if ($request->input('bulk_actions')=='delete') {
+                $this->authorize('delete', AssetModel::class);
                 $valid_count = 0;
                 foreach ($models as $model) {
                     if ($model->assets_count == 0) {
@@ -42,7 +43,7 @@ public function edit(Request $request)
 
             // Otherwise display the bulk edit screen
             }
-
+            $this->authorize('update', AssetModel::class);
             $nochange = ['NC' => 'No Change'];
             return view('models/bulk-edit', compact('models'))
                 ->with('fieldset_list', $nochange + Helper::customFieldsetList())
@@ -63,7 +64,8 @@ public function edit(Request $request)
      */
     public function update(Request $request)
     {
-
+        $this->authorize('update', AssetModel::class);
+
         $models_raw_array = $request->input('ids');
         $update_array = array();
 
@@ -103,6 +105,8 @@ public function update(Request $request)
      */
     public function destroy(Request $request)
     {
+        $this->authorize('delete', AssetModel::class);
+
         $models_raw_array = $request->input('ids');
 
         if ((is_array($models_raw_array)) && (count($models_raw_array) > 0)) {