From 0fb8dc34185308e22a948d44e2d8fd95118f958c Mon Sep 17 00:00:00 2001
From: vcordes79 <github@vcordes.info>
Date: Wed, 24 Jan 2018 03:10:05 +0100
Subject: [PATCH] check if user is allowed to view assets (#4845)

---
 app/Http/Controllers/Api/UsersController.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index f5b7ce08e4..d611eaa770 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -286,6 +286,7 @@ class UsersController extends Controller
     {
         $this->authorize('view', User::class);
         $assets = Asset::where('assigned_to', '=', $id)->with('model')->get();
+        if ($assets) $this->authorize('view', $assets[0]);
         return (new AssetsTransformer)->transformAssets($assets, $assets->count());
     }
 }