Guard against non-integers being passed for company_id

This commit is contained in:
Marcus Moore 2024-01-09 10:57:43 -08:00
parent eaf6d56253
commit 423b636db9
No known key found for this signature in database
2 changed files with 21 additions and 1 deletions

View file

@ -20,9 +20,16 @@ class StoreAssetRequest extends ImageUploadRequest
public function prepareForValidation(): void public function prepareForValidation(): void
{ {
// Guard against users passing in an array for company_id instead of an integer.
// If the company_id is not an integer then we simply use what was
// provided to be caught by model level validation later.
$idForCurrentUser = is_int($this->company_id)
? Company::getIdForCurrentUser($this->company_id)
: $this->company_id;
$this->merge([ $this->merge([
'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(), 'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(),
'company_id' => Company::getIdForCurrentUser($this->company_id), 'company_id' => $idForCurrentUser,
'assigned_to' => $assigned_to ?? null, 'assigned_to' => $assigned_to ?? null,
]); ]);
} }

View file

@ -10,6 +10,7 @@ use App\Models\Statuslabel;
use App\Models\Supplier; use App\Models\Supplier;
use App\Models\User; use App\Models\User;
use Carbon\Carbon; use Carbon\Carbon;
use Illuminate\Testing\Fluent\AssertableJson;
use Tests\Support\InteractsWithSettings; use Tests\Support\InteractsWithSettings;
use Tests\TestCase; use Tests\TestCase;
@ -425,4 +426,16 @@ class AssetStoreTest extends TestCase
// I think this makes sense, but open to a sanity check // I think this makes sense, but open to a sanity check
$this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset)); $this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset));
} }
public function testCompanyIdNeedsToBeInteger()
{
$this->actingAsForApi(User::factory()->createAssets()->create())
->postJson(route('api.assets.store'), [
'company_id' => [1],
])
->assertStatusMessageIs('error')
->assertJson(function (AssertableJson $json) {
$json->has('messages.company_id')->etc();
});
}
} }