Don’t let the user checkout an asset to itself

(We should consolidate that AssetCheckoutRequest for the API)
This commit is contained in:
snipe 2017-10-19 15:51:55 -07:00
parent 2fc46746e2
commit 1f247ff541
4 changed files with 21 additions and 6 deletions

View file

@ -7,6 +7,6 @@ class CheckoutNotAllowed extends Exception
{
public function __toString()
{
"A checkout is not allowed under these circumstances";
return "A checkout is not allowed under these circumstances";
}
}

View file

@ -457,16 +457,28 @@ class AssetsController extends Controller
$this->authorize('checkout', $asset);
$error_payload = [];
$error_payload['asset'] = [
'id' => $asset->id,
'asset_tag' => $asset->asset_tag,
];
if ($request->has('user_id')) {
$target = User::find($request->input('user_id'));
$error_payload['target_id'] = $request->input('user_id');
$error_payload['target_type'] = User::class;
// Don't let the user check an asset out to itself
} elseif ($request->has('asset_id')) {
$target = Asset::find($request->input('asset_id'));
$target = Asset::where('id','!=',$asset_id)->find($request->input('asset_id'));
$error_payload['target_id'] = $request->input('asset_id');
$error_payload['target_type'] = Asset::class;
} elseif ($request->has('location_id')) {
$target = Location::find($request->input('location_id'));
$error_payload['target_id'] = $request->input('location_id');
$error_payload['target_type'] = Location::class;
}
if (!isset($target)) {
return response()->json(Helper::formatStandardApiResponse('error', ['asset'=> e($asset->asset_tag)], 'No valid checkout target specified for asset '.e($asset->asset_tag).'.'));
return response()->json(Helper::formatStandardApiResponse('error', $error_payload, 'No valid checkout target specified for asset '.e($asset->asset_tag).'.'));
}
$checkout_at = request('checkout_at', date("Y-m-d H:i:s"));

View file

@ -458,7 +458,7 @@ class AssetsController extends Controller
if (request('assigned_user')) {
$target = User::find(request('assigned_user'));
} elseif (request('assigned_asset')) {
$target = Asset::find(request('assigned_asset'));
$target = Asset::where('id','!=',$assetId)->find(request('assigned_asset'));
} elseif (request('assigned_location')) {
$target = Location::find(request('assigned_location'));
}

View file

@ -23,10 +23,13 @@ class AssetCheckoutRequest extends Request
*/
public function rules()
{
return [
$rules = [
"assigned_user" => 'required_without_all:assigned_asset,assigned_location',
"assigned_asset" => 'required_without_all:assigned_user,assigned_location',
"assigned_asset" => 'required_without_all:assigned_user,assigned_location|different:'.$this->id,
"assigned_location" => 'required_without_all:assigned_user,assigned_asset',
];
return $rules;
}
}