mirror of
https://github.com/snipe/snipe-it.git
synced 2024-09-19 23:37:38 -07:00
Allow users that have permission to edit their own location to see locations in select list
This commit is contained in:
Marcus Moore
parent
232e84acf7
commit
346ace9444
|
|
@ -253,8 +253,12 @@ class LocationsController extends Controller
|
||||||
*/
|
*/
|
||||||
public function selectlist(Request $request)
|
public function selectlist(Request $request)
|
||||||
{
|
{
|
||||||
|
// If a user is in the process of editing their profile, as determined by the referrer,
|
||||||
$this->authorize('view.selectlists');
|
// then we check that they have permission to edit their own location.
|
||||||
|
// Otherwise, we do our normal check that they can view select lists.
|
||||||
|
$request->headers->get('referer') === route('profile')
|
||||||
|
? $this->authorize('self.edit_location')
|
||||||
|
: $this->authorize('view.selectlists');
|
||||||
|
|
||||||
$locations = Location::select([
|
$locations = Location::select([
|
||||||
'locations.id',
|
'locations.id',
|
||||||
|
|
|
||||||
|
|
@ -424,4 +424,12 @@ class UserFactory extends Factory
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function canEditOwnLocation()
|
||||||
|
{
|
||||||
|
return $this->state(function () {
|
||||||
|
return [
|
||||||
|
'permissions' => '{"self.edit_location":"1"}',
|
||||||
|
];
|
||||||
|
});
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
48
tests/Feature/Api/Locations/LocationsForSelectListTest.php
Normal file
48
tests/Feature/Api/Locations/LocationsForSelectListTest.php
Normal file
|
|
@ -0,0 +1,48 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature\Api\Locations;
|
||||||
|
|
||||||
|
use App\Models\Location;
|
||||||
|
use App\Models\User;
|
||||||
|
use Illuminate\Testing\Fluent\AssertableJson;
|
||||||
|
use Tests\Support\InteractsWithSettings;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class LocationsForSelectListTest extends TestCase
|
||||||
|
{
|
||||||
|
use InteractsWithSettings;
|
||||||
|
|
||||||
|
public function testGettingLocationListRequiresProperPermission()
|
||||||
|
{
|
||||||
|
$this->actingAsForApi(User::factory()->create())
|
||||||
|
->getJson(route('api.locations.selectlist'))
|
||||||
|
->assertForbidden();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testLocationsReturned()
|
||||||
|
{
|
||||||
|
Location::factory()->create();
|
||||||
|
|
||||||
|
// see the where the "view.selectlists" is defined in the AuthServiceProvider
|
||||||
|
// for info on why "createUsers()" is used here.
|
||||||
|
$this->actingAsForApi(User::factory()->createUsers()->create())
|
||||||
|
->getJson(route('api.locations.selectlist'))
|
||||||
|
->assertOk()
|
||||||
|
->assertJsonStructure([
|
||||||
|
'results',
|
||||||
|
'pagination',
|
||||||
|
'total_count',
|
||||||
|
'page',
|
||||||
|
'page_count',
|
||||||
|
])
|
||||||
|
->assertJson(fn(AssertableJson $json) => $json->has('results', 1)->etc());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testLocationsAreReturnedWhenUserIsUpdatingTheirProfileAndHasPermissionToUpdateLocation()
|
||||||
|
{
|
||||||
|
$this->actingAsForApi(User::factory()->canEditOwnLocation()->create())
|
||||||
|
->withHeader('referer', route('profile'))
|
||||||
|
->getJson(route('api.locations.selectlist'))
|
||||||
|
->assertOk();
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue