From fb4fe3004906acfc53a0d26e5e62569cb078d1e8 Mon Sep 17 00:00:00 2001 From: Tobias Regnery Date: Fri, 11 Oct 2024 12:09:09 +0200 Subject: [PATCH 1/2] Fix asset creation with API and FullMultipleCompanySupport It is currently possible to create an asset with arbitrary company without being superuser and FullMultipleCompanySupport enabled. This bug goes back to 75ac7f80b9 which is part of version 6.3.0. Fix this by restoring the previous behaviour to check the company_id with getIdForCurrentUser(). --- app/Http/Controllers/Api/AssetsController.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Http/Controllers/Api/AssetsController.php b/app/Http/Controllers/Api/AssetsController.php index d4a103be37..00c5416afb 100644 --- a/app/Http/Controllers/Api/AssetsController.php +++ b/app/Http/Controllers/Api/AssetsController.php @@ -598,6 +598,7 @@ class AssetsController extends Controller $asset->model()->associate(AssetModel::find((int) $request->get('model_id'))); $asset->fill($request->validated()); + $asset->company_id = Company::getIdForCurrentUser($request->validated()['company_id']); $asset->created_by = auth()->id(); /** From feaa71430493b46870203f31d0540a39b2355411 Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 11 Oct 2024 14:23:57 +0100 Subject: [PATCH 2/2] Nicer disabled button Signed-off-by: snipe --- resources/views/account/view-assets.blade.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/resources/views/account/view-assets.blade.php b/resources/views/account/view-assets.blade.php index e4cb6d33f2..96683fa9b1 100755 --- a/resources/views/account/view-assets.blade.php +++ b/resources/views/account/view-assets.blade.php @@ -144,7 +144,8 @@ @else - @endif