From 2dad27eed623da45b241956856171619f901a1d2 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Feb 2022 11:46:14 -0800 Subject: [PATCH] Added additional gate for selectlists Signed-off-by: snipe --- .../Controllers/Api/AssetModelsController.php | 1 + .../Controllers/Api/CategoriesController.php | 2 +- .../Controllers/Api/CompaniesController.php | 2 +- .../Controllers/Api/DepartmentsController.php | 1 + .../Controllers/Api/LocationsController.php | 2 ++ .../Api/ManufacturersController.php | 1 + .../Controllers/Api/SuppliersController.php | 2 ++ app/Providers/AuthServiceProvider.php | 19 ++++++++++++++++++- 8 files changed, 27 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Api/AssetModelsController.php b/app/Http/Controllers/Api/AssetModelsController.php index 95af6fbe5a..120c4344b0 100644 --- a/app/Http/Controllers/Api/AssetModelsController.php +++ b/app/Http/Controllers/Api/AssetModelsController.php @@ -234,6 +234,7 @@ class AssetModelsController extends Controller public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $assetmodels = AssetModel::select([ 'models.id', 'models.name', diff --git a/app/Http/Controllers/Api/CategoriesController.php b/app/Http/Controllers/Api/CategoriesController.php index 9b4fa51349..5004490676 100644 --- a/app/Http/Controllers/Api/CategoriesController.php +++ b/app/Http/Controllers/Api/CategoriesController.php @@ -148,7 +148,7 @@ class CategoriesController extends Controller */ public function selectlist(Request $request, $category_type = 'asset') { - + $this->authorize('view.selectlists'); $categories = Category::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/CompaniesController.php b/app/Http/Controllers/Api/CompaniesController.php index 8b471f27b3..baf740dfcb 100644 --- a/app/Http/Controllers/Api/CompaniesController.php +++ b/app/Http/Controllers/Api/CompaniesController.php @@ -159,7 +159,7 @@ class CompaniesController extends Controller */ public function selectlist(Request $request) { - + $this->authorize('view.selectlists'); $companies = Company::select([ 'companies.id', 'companies.name', diff --git a/app/Http/Controllers/Api/DepartmentsController.php b/app/Http/Controllers/Api/DepartmentsController.php index 04b806d406..e48a3df839 100644 --- a/app/Http/Controllers/Api/DepartmentsController.php +++ b/app/Http/Controllers/Api/DepartmentsController.php @@ -168,6 +168,7 @@ class DepartmentsController extends Controller public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $departments = Department::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/LocationsController.php b/app/Http/Controllers/Api/LocationsController.php index 6d70e7aaf1..ec91310e6f 100644 --- a/app/Http/Controllers/Api/LocationsController.php +++ b/app/Http/Controllers/Api/LocationsController.php @@ -223,6 +223,8 @@ class LocationsController extends Controller public function selectlist(Request $request) { + $this->authorize('view.selectlists'); + $locations = Location::select([ 'locations.id', 'locations.name', diff --git a/app/Http/Controllers/Api/ManufacturersController.php b/app/Http/Controllers/Api/ManufacturersController.php index 0301ae587c..5fa4560fe6 100644 --- a/app/Http/Controllers/Api/ManufacturersController.php +++ b/app/Http/Controllers/Api/ManufacturersController.php @@ -155,6 +155,7 @@ class ManufacturersController extends Controller public function selectlist(Request $request) { + $this->authorize('view.selectlists'); $manufacturers = Manufacturer::select([ 'id', 'name', diff --git a/app/Http/Controllers/Api/SuppliersController.php b/app/Http/Controllers/Api/SuppliersController.php index 54784a4e37..d04bb61f03 100644 --- a/app/Http/Controllers/Api/SuppliersController.php +++ b/app/Http/Controllers/Api/SuppliersController.php @@ -155,6 +155,8 @@ class SuppliersController extends Controller public function selectlist(Request $request) { + $this->authorize('view.selectlists'); + $suppliers = Supplier::select([ 'id', 'name', diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index b24df173c3..dacdeed9cc 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -156,6 +156,8 @@ class AuthServiceProvider extends ServiceProvider return $user->hasAccess('self.checkout_assets'); }); + // This is largely used to determine whether to display the gear icon sidenav + // in the left-side navigation Gate::define('backend.interact', function ($user) { return $user->can('view', Statuslabel::class) || $user->can('view', AssetModel::class) @@ -168,7 +170,22 @@ class AuthServiceProvider extends ServiceProvider || $user->can('view', Manufacturer::class) || $user->can('view', CustomField::class) || $user->can('view', CustomFieldset::class) - || $user->can('view', Depreciation::class); + || $user->can('view', Depreciation::class); + }); + + + // This largely echoes the above backend.interact gate, but also determins + // whether or not an API user should be able tp get the selectlists. + // This can seema a little confusing, since view properties may not have been granted + // to the logged in API user, but creating assets, licenses, etc won't work + // if the user can't view and interact with the select lists. + Gate::define('view.selectlists', function ($user) { + return $user->can('view', Statuslabel::class) + || $user->can('view', Asset::class) + || $user->can('view', License::class) + || $user->can('view', Consumable::class) + || $user->can('view', Accessory::class) + || $user->can('view', User::class); }); } }