From 423b636db957dcc4d41109c90cb2cb1ad311b63d Mon Sep 17 00:00:00 2001 From: Marcus Moore Date: Tue, 9 Jan 2024 10:57:43 -0800 Subject: [PATCH] Guard against non-integers being passed for company_id --- app/Http/Requests/StoreAssetRequest.php | 9 ++++++++- tests/Feature/Api/Assets/AssetStoreTest.php | 13 +++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/app/Http/Requests/StoreAssetRequest.php b/app/Http/Requests/StoreAssetRequest.php index 00c5d27be9..74988b6c62 100644 --- a/app/Http/Requests/StoreAssetRequest.php +++ b/app/Http/Requests/StoreAssetRequest.php @@ -20,9 +20,16 @@ class StoreAssetRequest extends ImageUploadRequest public function prepareForValidation(): void { + // Guard against users passing in an array for company_id instead of an integer. + // If the company_id is not an integer then we simply use what was + // provided to be caught by model level validation later. + $idForCurrentUser = is_int($this->company_id) + ? Company::getIdForCurrentUser($this->company_id) + : $this->company_id; + $this->merge([ 'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(), - 'company_id' => Company::getIdForCurrentUser($this->company_id), + 'company_id' => $idForCurrentUser, 'assigned_to' => $assigned_to ?? null, ]); } diff --git a/tests/Feature/Api/Assets/AssetStoreTest.php b/tests/Feature/Api/Assets/AssetStoreTest.php index 720526f5b5..92a58a5006 100644 --- a/tests/Feature/Api/Assets/AssetStoreTest.php +++ b/tests/Feature/Api/Assets/AssetStoreTest.php @@ -10,6 +10,7 @@ use App\Models\Statuslabel; use App\Models\Supplier; use App\Models\User; use Carbon\Carbon; +use Illuminate\Testing\Fluent\AssertableJson; use Tests\Support\InteractsWithSettings; use Tests\TestCase; @@ -425,4 +426,16 @@ class AssetStoreTest extends TestCase // I think this makes sense, but open to a sanity check $this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset)); } + + public function testCompanyIdNeedsToBeInteger() + { + $this->actingAsForApi(User::factory()->createAssets()->create()) + ->postJson(route('api.assets.store'), [ + 'company_id' => [1], + ]) + ->assertStatusMessageIs('error') + ->assertJson(function (AssertableJson $json) { + $json->has('messages.company_id')->etc(); + }); + } }