Guard against non-integers being passed for company_id

This commit is contained in:
Marcus Moore 2024-01-09 10:57:43 -08:00
parent eaf6d56253
commit 423b636db9
No known key found for this signature in database
2 changed files with 21 additions and 1 deletions

View file

@ -20,9 +20,16 @@ class StoreAssetRequest extends ImageUploadRequest
public function prepareForValidation(): void
{
// Guard against users passing in an array for company_id instead of an integer.
// If the company_id is not an integer then we simply use what was
// provided to be caught by model level validation later.
$idForCurrentUser = is_int($this->company_id)
? Company::getIdForCurrentUser($this->company_id)
: $this->company_id;
$this->merge([
'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(),
'company_id' => Company::getIdForCurrentUser($this->company_id),
'company_id' => $idForCurrentUser,
'assigned_to' => $assigned_to ?? null,
]);
}

View file

@ -10,6 +10,7 @@ use App\Models\Statuslabel;
use App\Models\Supplier;
use App\Models\User;
use Carbon\Carbon;
use Illuminate\Testing\Fluent\AssertableJson;
use Tests\Support\InteractsWithSettings;
use Tests\TestCase;
@ -425,4 +426,16 @@ class AssetStoreTest extends TestCase
// I think this makes sense, but open to a sanity check
$this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset));
}
public function testCompanyIdNeedsToBeInteger()
{
$this->actingAsForApi(User::factory()->createAssets()->create())
->postJson(route('api.assets.store'), [
'company_id' => [1],
])
->assertStatusMessageIs('error')
->assertJson(function (AssertableJson $json) {
$json->has('messages.company_id')->etc();
});
}
}