diff --git a/.env.example b/.env.example
index 35f2277b37..936eb4b29d 100644
--- a/.env.example
+++ b/.env.example
@@ -63,7 +63,13 @@ ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=false
+
+
+# --------------------------------------------
+# OPTIONAL: SECURITY HEADER SETTINGS
+# --------------------------------------------
REFERRER_POLICY=strict-origin
+DISABLE_CSP=false
# --------------------------------------------
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index 9507443700..8da5a4ac22 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -12,20 +12,27 @@
#### Please confirm you have done the following before posting your bug report:
-- [ ] I have enabled debug mode
+- [ ] I have enabled debug mode
- [ ] I have read [checked the Common Issues page](https://snipe-it.readme.io/docs/common-issues)
-----
-#### Please provide answers to these questions before posting your bug report:
+#### Provide answers to these questions:
+- Is this a fresh install or an upgrade?
- Version of Snipe-IT you're running
+- Version of PHP you're running
+- Version of MySQL/MariaDB you're running
- What OS and web server you're running Snipe-IT on
- What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)
- WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error
- What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error
- If a stacktrace is provided in the error, include that too.
- Any errors that appear in your browser's error console.
-- Confirm whether the error is [reproduceable on the demo](https://snipeitapp.com/demo).
+- Confirm whether the error is reproduceable on the demo: https://snipeitapp.com/demo.
- Include any additional information you can find in `app/storage/logs` and your webserver's logs.
- Include what you've done so far in the installation, and if you got any error messages along the way.
- Indicate whether or not you've manually edited any data directly in the database
+
+Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket. It will be next to impossible for us to help you.
+
+https://snipe-it.readme.io/docs/getting-help
diff --git a/app/Http/Controllers/LicensesController.php b/app/Http/Controllers/LicensesController.php
index f008dec107..8c89348899 100755
--- a/app/Http/Controllers/LicensesController.php
+++ b/app/Http/Controllers/LicensesController.php
@@ -334,15 +334,14 @@ class LicensesController extends Controller
if ($licenseSeat->save()) {
$licenseSeat->logCheckout($request->input('note'), $target);
- $data['license_id'] =$licenseSeat->license_id;
+ $data['license_id'] = $licenseSeat->license_id;
$data['note'] = $request->input('note');
// Redirect to the new asset page
return redirect()->route("licenses.index")->with('success', trans('admin/licenses/message.checkout.success'));
}
-
- // Redirect to the asset management page with error
- return redirect()->to("admin/licenses/{$asset_id}/checkout")->with('error', trans('admin/licenses/message.create.error'))->with('license', new License);
+
+ return redirect()->route("licenses.index")->with('error', trans('admin/licenses/message.checkout.error'));
}
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index f46813734b..b305ef94e2 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -20,6 +20,7 @@ class Kernel extends HttpKernel
\App\Http\Middleware\FrameGuard::class,
\App\Http\Middleware\XssProtectHeader::class,
\App\Http\Middleware\ReferrerPolicyHeader::class,
+ \App\Http\Middleware\ContentSecurityPolicyHeader::class,
\App\Http\Middleware\NosniffGuard::class,
\App\Http\Middleware\CheckForSetup::class,
\Fideloper\Proxy\TrustProxies::class,
diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php
new file mode 100644
index 0000000000..dd0d39cf36
--- /dev/null
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@@ -0,0 +1,35 @@
+headers->set('Content-Security-Policy', $policy);
+ return $response;
+ }
+}
diff --git a/app/Http/Transformers/AssetsTransformer.php b/app/Http/Transformers/AssetsTransformer.php
index adcbfafe9a..92ba702a15 100644
--- a/app/Http/Transformers/AssetsTransformer.php
+++ b/app/Http/Transformers/AssetsTransformer.php
@@ -33,8 +33,8 @@ class AssetsTransformer
'model_number' => ($asset->model) ? e($asset->model->model_number) : null,
'status_label' => ($asset->assetstatus) ? [
'id' => (int) $asset->assetstatus->id,
- 'name'=> e($asset->assetstatus->name),
- 'status_type' => e($asset->assetstatus->getStatuslabelType()),
+ 'name'=> e($asset->present()->statusText),
+ 'status_meta' => e($asset->present()->statusMeta),
] : null,
'category' => ($asset->model->category) ? [
'id' => (int) $asset->model->category->id,
diff --git a/app/Presenters/AssetPresenter.php b/app/Presenters/AssetPresenter.php
index 87d4469b50..53188aa237 100644
--- a/app/Presenters/AssetPresenter.php
+++ b/app/Presenters/AssetPresenter.php
@@ -325,6 +325,24 @@ class AssetPresenter extends Presenter
return $interval;
}
+ /**
+ * @return string
+ * This handles the status label "meta" status of "deployed" if
+ * it's assigned. Should maybe deprecate.
+ */
+ public function statusMeta()
+ {
+ if ($this->model->assignedTo) {
+ return strtolower(trans('general.deployed'));
+ }
+ return $this->model->assetstatus->getStatuslabelType();
+ }
+
+ /**
+ * @return string
+ * This handles the status label "meta" status of "deployed" if
+ * it's assigned. Should maybe deprecate.
+ */
public function statusText()
{
if ($this->model->assignedTo) {
@@ -332,6 +350,7 @@ class AssetPresenter extends Presenter
}
return $this->model->assetstatus->name;
}
+
/**
* Date the warantee expires.
* @return false|string
diff --git a/app/Presenters/LicensePresenter.php b/app/Presenters/LicensePresenter.php
index 5bbdb16cca..c41dc99200 100644
--- a/app/Presenters/LicensePresenter.php
+++ b/app/Presenters/LicensePresenter.php
@@ -152,7 +152,7 @@ class LicensePresenter extends Presenter
*/
public function fullName()
{
- return 'poop';
+ return $this->name;
}
diff --git a/config/app.php b/config/app.php
index 451fd17de1..39f92f0087 100755
--- a/config/app.php
+++ b/config/app.php
@@ -169,6 +169,24 @@ return [
'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
+ /*
+ |--------------------------------------------------------------------------
+ | CSP
+ |--------------------------------------------------------------------------
+ |
+ | Disable the content security policy that restricts what scripts, images
+ | and styles can load. (This should be left as false if you don't know
+ | what this means.)
+ |
+ | Read more: https://www.w3.org/TR/CSP/
+ | Read more: https://content-security-policy.com
+ |
+ */
+
+ 'disable_csp' => env('DISABLE_CSP', false),
+
+
+
/*
|--------------------------------------------------------------------------
diff --git a/public/.htaccess b/public/.htaccess
index eafa69a6e6..0fc54f004b 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -5,10 +5,12 @@
RewriteEngine On
- # Uncomment these two lines to force SSL redirect
+ # Uncomment these two lines to force SSL redirect in Apache
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+
+
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
@@ -21,4 +23,11 @@
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+ # Security Headers
+ # Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
+ # Header set X-XSS-Protection "1; mode=block"
+ # Header set X-Content-Type-Options nosniff
+ # Header set X-Permitted-Cross-Domain-Policies "master-only"
+
diff --git a/resources/views/account/accept-asset.blade.php b/resources/views/account/accept-asset.blade.php
index fcb4d3ec56..f7602b5cdb 100644
--- a/resources/views/account/accept-asset.blade.php
+++ b/resources/views/account/accept-asset.blade.php
@@ -94,7 +94,7 @@
@section('moar_scripts')
-
-@endsection
\ No newline at end of file
+@endsection
diff --git a/resources/views/account/requestable-assets.blade.php b/resources/views/account/requestable-assets.blade.php
index 31b69cf53a..6d492fad86 100644
--- a/resources/views/account/requestable-assets.blade.php
+++ b/resources/views/account/requestable-assets.blade.php
@@ -149,7 +149,7 @@
@section('moar_scripts')
-
-