From 1e34398c9957a66f7bc05ca95015cf2cd62a6767 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 10 Nov 2022 17:19:12 +0000
Subject: [PATCH] Permissions check on the field itself

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/ViewAssetsController.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/ViewAssetsController.php b/app/Http/Controllers/ViewAssetsController.php
index edd1671ecf..55499ab22b 100755
--- a/app/Http/Controllers/ViewAssetsController.php
+++ b/app/Http/Controllers/ViewAssetsController.php
@@ -38,13 +38,17 @@ class ViewAssetsController extends Controller
             'licenses',
         )->find(Auth::user()->id);
 
-
+        // Loop through all the custom fields that are applied to any model the user has assigned
         foreach ($user->assets as $asset) {
             foreach ($asset->model->fieldset->fields as $field) {
-                $field_array[$field->db_column] = $field->name;
+                // check and make sure they're allowed to see the value of the custom field
+                if ($field->display_in_user_view == '1') {
+                    $field_array[$field->db_column] = $field->name;
+                }
             }
         }
 
+        // Since some models may re-use the same fieldsets/fields, let's make the array unique so we don't repeat columns
         array_unique($field_array);
 
         if (isset($user->id)) {