From 46d87849f4e7e0348fd67f7e542b9d324349452f Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 28 Sep 2017 19:45:15 -0700
Subject: [PATCH 01/13] Added content security middleware

---
 .env.example                                  |  6 ++++
 app/Http/Kernel.php                           |  1 +
 .../ContentSecurityPolicyHeader.php           | 35 +++++++++++++++++++
 config/app.php                                | 18 ++++++++++
 public/.htaccess                              | 11 +++++-
 .../views/account/accept-asset.blade.php      |  2 +-
 resources/views/account/api.blade.php         |  4 +--
 .../account/requestable-assets.blade.php      |  2 +-
 .../views/asset_maintenances/index.blade.php  |  2 +-
 .../views/custom_fields/fields/edit.blade.php |  2 +-
 .../custom_fields/fieldsets/view.blade.php    |  2 +-
 resources/views/dashboard.blade.php           |  2 +-
 .../views/hardware/bulk-checkout.blade.php    |  2 +-
 resources/views/hardware/checkout.blade.php   |  2 +-
 resources/views/hardware/edit.blade.php       |  2 +-
 resources/views/hardware/history.blade.php    |  2 +-
 resources/views/hardware/quickscan.blade.php  |  2 +-
 resources/views/hardware/view.blade.php       |  2 +-
 resources/views/importer/import.blade.php     |  2 +-
 resources/views/layouts/default.blade.php     | 12 +++----
 resources/views/layouts/setup.blade.php       |  4 +--
 resources/views/locations/edit.blade.php      |  2 +-
 resources/views/modals/user.blade.php         |  2 +-
 .../views/partials/bootstrap-table.blade.php  |  2 +-
 resources/views/settings/api.blade.php        |  2 +-
 resources/views/settings/branding.blade.php   |  2 +-
 resources/views/settings/general.blade.php    |  2 +-
 resources/views/settings/ldap.blade.php       |  2 +-
 resources/views/statuslabels/edit.blade.php   |  2 +-
 resources/views/statuslabels/index.blade.php  |  2 +-
 resources/views/users/edit.blade.php          |  6 ++--
 resources/views/users/index.blade.php         |  2 +-
 resources/views/users/view.blade.php          |  2 +-
 33 files changed, 107 insertions(+), 38 deletions(-)
 create mode 100644 app/Http/Middleware/ContentSecurityPolicyHeader.php

diff --git a/.env.example b/.env.example
index 35f2277b37..936eb4b29d 100644
--- a/.env.example
+++ b/.env.example
@@ -63,7 +63,13 @@ ENCRYPT=false
 COOKIE_NAME=snipeit_session
 COOKIE_DOMAIN=null
 SECURE_COOKIES=false
+
+
+# --------------------------------------------
+# OPTIONAL: SECURITY HEADER SETTINGS
+# --------------------------------------------
 REFERRER_POLICY=strict-origin
+DISABLE_CSP=false
 
 
 # --------------------------------------------
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index f46813734b..b305ef94e2 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -20,6 +20,7 @@ class Kernel extends HttpKernel
         \App\Http\Middleware\FrameGuard::class,
         \App\Http\Middleware\XssProtectHeader::class,
         \App\Http\Middleware\ReferrerPolicyHeader::class,
+        \App\Http\Middleware\ContentSecurityPolicyHeader::class,
         \App\Http\Middleware\NosniffGuard::class,
         \App\Http\Middleware\CheckForSetup::class,
         \Fideloper\Proxy\TrustProxies::class,
diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php
new file mode 100644
index 0000000000..a85c430e63
--- /dev/null
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@@ -0,0 +1,35 @@
+<?php
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ContentSecurityPolicyHeader
+{
+    /**
+     * Handle the given request and get the response.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        if (config('app.disable_csp')=='true') {
+            $response = $next($request);
+            return $response;
+        }
+
+        $policy[] = "default-src 'self'";
+        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
+        $policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
+        $policy[] = "connect-src 'self'";
+        $policy[] = "object-src 'none'";
+        $policy[] = "font-src 'self' data:";
+        $policy[] = "img-src 'self' data: gravatar.com";
+        $policy = join(';', $policy);
+
+        $response = $next($request);
+        $response->headers->set('Content-Security-Policy', $policy);
+        return $response;
+    }
+}
diff --git a/config/app.php b/config/app.php
index 451fd17de1..39f92f0087 100755
--- a/config/app.php
+++ b/config/app.php
@@ -169,6 +169,24 @@ return [
 
     'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
 
+    /*
+    |--------------------------------------------------------------------------
+    | CSP
+    |--------------------------------------------------------------------------
+    |
+    | Disable the content security policy that restricts what scripts, images
+    | and styles can load. (This should be left as false if you don't know
+    | what this means.)
+    |
+    | Read more: https://www.w3.org/TR/CSP/
+    | Read more: https://content-security-policy.com
+    |
+    */
+
+    'disable_csp' => env('DISABLE_CSP', false),
+
+
+
 
     /*
     |--------------------------------------------------------------------------
diff --git a/public/.htaccess b/public/.htaccess
index eafa69a6e6..513d3714c4 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -5,10 +5,12 @@
 
     RewriteEngine On
 
-    # Uncomment these two lines to force SSL redirect
+    # Uncomment these two lines to force SSL redirect in Apache
     # RewriteCond %{HTTPS} off
     # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 
+
+
     # Redirect Trailing Slashes If Not A Folder...
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule ^(.*)/$ /$1 [L,R=301]
@@ -21,4 +23,11 @@
     # Handle Authorization Header
     RewriteCond %{HTTP:Authorization} .
     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+    # Security Headers
+    Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
+    Header set X-XSS-Protection "1; mode=block"
+    Header set X-Content-Type-Options nosniff
+    Header set X-Permitted-Cross-Domain-Policies "master-only"
+
 </IfModule>
diff --git a/resources/views/account/accept-asset.blade.php b/resources/views/account/accept-asset.blade.php
index fcb4d3ec56..f7602b5cdb 100644
--- a/resources/views/account/accept-asset.blade.php
+++ b/resources/views/account/accept-asset.blade.php
@@ -94,7 +94,7 @@
 @section('moar_scripts')
 
     <script src="{{ asset('js/signature_pad.min.js') }}"></script>
-    <script>
+    <script nonce="{{ csrf_token() }}">
         var wrapper = document.getElementById("signature-pad"),
                 clearButton = wrapper.querySelector("[data-action=clear]"),
                 saveButton = wrapper.querySelector("[data-action=save]"),
diff --git a/resources/views/account/api.blade.php b/resources/views/account/api.blade.php
index 0629dbf08a..37d7942f92 100644
--- a/resources/views/account/api.blade.php
+++ b/resources/views/account/api.blade.php
@@ -16,9 +16,9 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
     new Vue({
         el: "#app",
     });
 </script>
-@endsection
\ No newline at end of file
+@endsection
diff --git a/resources/views/account/requestable-assets.blade.php b/resources/views/account/requestable-assets.blade.php
index 31b69cf53a..6d492fad86 100644
--- a/resources/views/account/requestable-assets.blade.php
+++ b/resources/views/account/requestable-assets.blade.php
@@ -149,7 +149,7 @@
 
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 
     $( "a[name='Request']").click(function(event) {
         // event.preventDefault();
diff --git a/resources/views/asset_maintenances/index.blade.php b/resources/views/asset_maintenances/index.blade.php
index 4b604f2b0a..966aced35d 100644
--- a/resources/views/asset_maintenances/index.blade.php
+++ b/resources/views/asset_maintenances/index.blade.php
@@ -58,7 +58,7 @@
 
 @section('moar_scripts')
 @include ('partials.bootstrap-table', ['exportFile' => 'maintenances-export', 'search' => true])
-<script>
+<script nonce="{{ csrf_token() }}">
     function maintenanceActions(value, row) {
         var actions = '<nobr>';
         if ((row) && (row.available_actions.update === true)) {
diff --git a/resources/views/custom_fields/fields/edit.blade.php b/resources/views/custom_fields/fields/edit.blade.php
index 2e058a90aa..2709aaf9a6 100644
--- a/resources/views/custom_fields/fields/edit.blade.php
+++ b/resources/views/custom_fields/fields/edit.blade.php
@@ -134,7 +134,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
     $(document).ready(function(){
 
         // Only display the custom format field if it's a custom format validation type
diff --git a/resources/views/custom_fields/fieldsets/view.blade.php b/resources/views/custom_fields/fieldsets/view.blade.php
index 1a9f9f1ca6..b4570718b1 100644
--- a/resources/views/custom_fields/fieldsets/view.blade.php
+++ b/resources/views/custom_fields/fieldsets/view.blade.php
@@ -82,7 +82,7 @@
 @stop
 
 @section('moar_scripts')
-  <script>
+  <script nonce="{{ csrf_token() }}">
   var fixHelperModified = function(e, tr) {
       var $originals = tr.children();
       var $helper = tr.clone();
diff --git a/resources/views/dashboard.blade.php b/resources/views/dashboard.blade.php
index d39470ada9..e8e3c67015 100755
--- a/resources/views/dashboard.blade.php
+++ b/resources/views/dashboard.blade.php
@@ -253,7 +253,7 @@
 @endif
 
 
-<script>
+<script nonce="{{ csrf_token() }}">
 
 
 
diff --git a/resources/views/hardware/bulk-checkout.blade.php b/resources/views/hardware/bulk-checkout.blade.php
index 00390274ee..1d0ce83f70 100644
--- a/resources/views/hardware/bulk-checkout.blade.php
+++ b/resources/views/hardware/bulk-checkout.blade.php
@@ -107,7 +107,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function() {
   $('#assigned_to').on("change",function () {
     // console.warn("Model Id has changed!");
diff --git a/resources/views/hardware/checkout.blade.php b/resources/views/hardware/checkout.blade.php
index 97ce9bb741..f7bb2998ab 100755
--- a/resources/views/hardware/checkout.blade.php
+++ b/resources/views/hardware/checkout.blade.php
@@ -154,7 +154,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function() {
   $('#assigned_user').on("change",function () {
     var userid = $('#assigned_user option:selected').val();
diff --git a/resources/views/hardware/edit.blade.php b/resources/views/hardware/edit.blade.php
index 7271be3cb0..c036249605 100755
--- a/resources/views/hardware/edit.blade.php
+++ b/resources/views/hardware/edit.blade.php
@@ -160,7 +160,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 
 
 
diff --git a/resources/views/hardware/history.blade.php b/resources/views/hardware/history.blade.php
index b2b08bd807..ded1cdc3ca 100644
--- a/resources/views/hardware/history.blade.php
+++ b/resources/views/hardware/history.blade.php
@@ -190,7 +190,7 @@
             @endif
 
         </div></div></div>
-<script>
+<script nonce="{{ csrf_token() }}">
 $(document).ready(function(){
 
     $('#generate-password').pGenerator({
diff --git a/resources/views/hardware/quickscan.blade.php b/resources/views/hardware/quickscan.blade.php
index 49d5a6a45d..0c0a8bd11e 100644
--- a/resources/views/hardware/quickscan.blade.php
+++ b/resources/views/hardware/quickscan.blade.php
@@ -125,7 +125,7 @@
 
 
 @section('moar_scripts')
-    <script>
+    <script nonce="{{ csrf_token() }}">
 
         $("#audit-form").submit(function (event) {
             $('#audited-div').show();
diff --git a/resources/views/hardware/view.blade.php b/resources/views/hardware/view.blade.php
index 2e86178189..848b808dad 100755
--- a/resources/views/hardware/view.blade.php
+++ b/resources/views/hardware/view.blade.php
@@ -703,7 +703,7 @@
 @section('moar_scripts')
   @include ('partials.bootstrap-table', ['simple_view' => true])
 
-<script>
+<script nonce="{{ csrf_token() }}">
     $(document).delegate('*[data-toggle="lightbox"]', 'click', function(event) {
         event.preventDefault();
         $(this).ekkoLightbox();
diff --git a/resources/views/importer/import.blade.php b/resources/views/importer/import.blade.php
index abeaecd848..655e6ade7e 100644
--- a/resources/views/importer/import.blade.php
+++ b/resources/views/importer/import.blade.php
@@ -83,7 +83,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
     new Vue({
         el: '#app'
     });
diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php
index 3b72b32b5c..d7aa31653f 100644
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@@ -27,13 +27,13 @@
 
     <meta name="csrf-token" content="{{ csrf_token() }}">
 
-      <script>
+      <script nonce="{{ csrf_token() }}">
           window.Laravel = { csrfToken: '{{ csrf_token() }}' };
       </script>
 
 
 
-      <style>
+      <style nonce="{{ csrf_token() }}">
         @if ($snipeSettings)
             @if ($snipeSettings->header_color)
             .main-header .navbar, .main-header .logo {
@@ -70,7 +70,7 @@
 
 
 
-    <script>
+    <script nonce="{{ csrf_token() }}">
           window.snipeit = {
               settings: {
                   "per_page": {{ $snipeSettings->per_page }}
@@ -662,7 +662,7 @@
 
 
     <script src="{{ url(mix('js/dist/all.js')) }}"></script>
-    <script>
+    <script nonce="{{ csrf_token() }}">
         $(function () {
             var datepicker = $.fn.datepicker.noConflict(); // return $.fn.datepicker to previously assigned value
             $.fn.bootstrapDP = datepicker;
@@ -677,14 +677,14 @@
     @section('moar_scripts')
     @show
 
-    <script>
+    <script nonce="{{ csrf_token() }}">
         $(function () {
             $('[data-toggle="tooltip"]').tooltip();
         })
     </script>
 
     @if ((Session::get('topsearch')=='true') || (Request::is('/')))
-    <script>
+    <script nonce="{{ csrf_token() }}">
          $("#tagSearch").focus();
     </script>
     @endif
diff --git a/resources/views/layouts/setup.blade.php b/resources/views/layouts/setup.blade.php
index 50ad244f11..90fdd93833 100644
--- a/resources/views/layouts/setup.blade.php
+++ b/resources/views/layouts/setup.blade.php
@@ -13,7 +13,7 @@
 
 
 
-        <script>
+        <script nonce="{{ csrf_token() }}">
             window.snipeit = {
                 settings: {
                     "per_page": 20
@@ -120,7 +120,7 @@
           </div>
           <script src="{{ url(mix('js/dist/all.js')) }}"></script>
 
-        <script>
+        <script nonce="{{ csrf_token() }}">
             $(function () {
                 $(".select2").select2();
             });
diff --git a/resources/views/locations/edit.blade.php b/resources/views/locations/edit.blade.php
index 59235e3f2c..6bed6e96aa 100755
--- a/resources/views/locations/edit.blade.php
+++ b/resources/views/locations/edit.blade.php
@@ -62,7 +62,7 @@
 
 @if (!$item->id)
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 
     var $eventSelect = $(".parent");
     $eventSelect.on("change", function () { parent_details($eventSelect.val()); });
diff --git a/resources/views/modals/user.blade.php b/resources/views/modals/user.blade.php
index 21f490dd9c..df0b815ecb 100644
--- a/resources/views/modals/user.blade.php
+++ b/resources/views/modals/user.blade.php
@@ -1,7 +1,7 @@
 
 <script src="/js/pGenerator.jquery.js"></script>
 
-<script>
+<script nonce="{{ csrf_token() }}">
     $(document).ready(function () {
 
         $('#genPassword').pGenerator({
diff --git a/resources/views/partials/bootstrap-table.blade.php b/resources/views/partials/bootstrap-table.blade.php
index 91b8836283..f60a2f19ab 100644
--- a/resources/views/partials/bootstrap-table.blade.php
+++ b/resources/views/partials/bootstrap-table.blade.php
@@ -13,7 +13,7 @@
 <script src="{{ asset('js/extensions/toolbar/bootstrap-table-toolbar.js') }}"></script>
 @endif
 
-<script>
+<script nonce="{{ csrf_token() }}">
 $('.snipe-table').bootstrapTable({
         classes: 'table table-responsive table-no-bordered',
         undefinedText: '',
diff --git a/resources/views/settings/api.blade.php b/resources/views/settings/api.blade.php
index 2d5d7a9dde..7ab0bc806a 100644
--- a/resources/views/settings/api.blade.php
+++ b/resources/views/settings/api.blade.php
@@ -24,7 +24,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
     new Vue({
         el: "#app",
     });
diff --git a/resources/views/settings/branding.blade.php b/resources/views/settings/branding.blade.php
index a0ea7cd54d..5365c091a4 100644
--- a/resources/views/settings/branding.blade.php
+++ b/resources/views/settings/branding.blade.php
@@ -146,7 +146,7 @@
 
 @section('moar_scripts')
     <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
         //color picker with addon
         $(".header-color").colorpicker();
         // toggle the disabled state of asset id prefix
diff --git a/resources/views/settings/general.blade.php b/resources/views/settings/general.blade.php
index 01a68340ff..f1d4f59a2d 100644
--- a/resources/views/settings/general.blade.php
+++ b/resources/views/settings/general.blade.php
@@ -199,7 +199,7 @@
 
 @section('moar_scripts')
     <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
         //color picker with addon
         $(".header-color").colorpicker();
         // toggle the disabled state of asset id prefix
diff --git a/resources/views/settings/ldap.blade.php b/resources/views/settings/ldap.blade.php
index 274789f623..4bdc3f03b9 100644
--- a/resources/views/settings/ldap.blade.php
+++ b/resources/views/settings/ldap.blade.php
@@ -372,7 +372,7 @@
 @stop
 
 @section('moar_scripts')
-    <script>
+    <script nonce="{{ csrf_token() }}">
         $("#ldaptest").click(function(){
             $("#ldaptestrow").removeClass('success');
             $("#ldaptestrow").removeClass('danger');
diff --git a/resources/views/statuslabels/edit.blade.php b/resources/views/statuslabels/edit.blade.php
index 76badf683c..158a43a853 100755
--- a/resources/views/statuslabels/edit.blade.php
+++ b/resources/views/statuslabels/edit.blade.php
@@ -57,7 +57,7 @@
 
 @section('moar_scripts')
     <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
         //color picker with addon
         $(".color").colorpicker();
     </script>
diff --git a/resources/views/statuslabels/index.blade.php b/resources/views/statuslabels/index.blade.php
index ad9fc83544..6f8cafee25 100755
--- a/resources/views/statuslabels/index.blade.php
+++ b/resources/views/statuslabels/index.blade.php
@@ -54,7 +54,7 @@
 @section('moar_scripts')
 @include ('partials.bootstrap-table', ['exportFile' => 'statuslabels-export', 'search' => true])
 
-  <script>
+  <script nonce="{{ csrf_token() }}">
       function colorSqFormatter(value, row) {
           if (value) {
               return '<span class="label" style="background-color: ' + value + ';">&nbsp;</span> ' + value;
diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index 53e504122f..b4f9b2a5a3 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -553,7 +553,7 @@
 @stop
 
 @section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(document).ready(function() {
 
 	$('#email').on('keyup',function(){
@@ -570,7 +570,7 @@ $(document).ready(function() {
 });
 </script>
 
-<script>
+<script nonce="{{ csrf_token() }}">
 $('tr.header-row input:radio').click(function() {
   value = $(this).attr('value');
   $(this).parent().parent().siblings().each(function() {
@@ -585,7 +585,7 @@ $('.header-name').click(function() {
 
 <script src="{{ asset('js/pGenerator.jquery.js') }}"></script>
 
-<script>
+<script nonce="{{ csrf_token() }}">
 
 
 $(document).ready(function(){
diff --git a/resources/views/users/index.blade.php b/resources/views/users/index.blade.php
index 8d66b1d543..29a7d6bf03 100755
--- a/resources/views/users/index.blade.php
+++ b/resources/views/users/index.blade.php
@@ -86,7 +86,7 @@
     'columns' => \App\Presenters\UserPresenter::dataTableLayout()
 ])
 
-<script>
+<script nonce="{{ csrf_token() }}">
 
     function groupsFormatter(value) {
 
diff --git a/resources/views/users/view.blade.php b/resources/views/users/view.blade.php
index cb443c26aa..1580a92301 100755
--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@@ -491,7 +491,7 @@
 
 @section('moar_scripts')
   @include ('partials.bootstrap-table', ['simple_view' => true])
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function () {
     //binds to onchange event of your input field
     var uploadedFileSize = 0;

From 05a8ba9a8e6364c2f22d5ead1a1e15a962f78bb8 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 04:37:33 -0700
Subject: [PATCH 02/13] Fix weird url if license checkout fails

---
 app/Http/Controllers/LicensesController.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/LicensesController.php b/app/Http/Controllers/LicensesController.php
index f008dec107..8c89348899 100755
--- a/app/Http/Controllers/LicensesController.php
+++ b/app/Http/Controllers/LicensesController.php
@@ -334,15 +334,14 @@ class LicensesController extends Controller
         if ($licenseSeat->save()) {
             $licenseSeat->logCheckout($request->input('note'), $target);
 
-            $data['license_id'] =$licenseSeat->license_id;
+            $data['license_id'] = $licenseSeat->license_id;
             $data['note'] = $request->input('note');
 
             // Redirect to the new asset page
             return redirect()->route("licenses.index")->with('success', trans('admin/licenses/message.checkout.success'));
         }
-
-        // Redirect to the asset management page with error
-        return redirect()->to("admin/licenses/{$asset_id}/checkout")->with('error', trans('admin/licenses/message.create.error'))->with('license', new License);
+        
+        return redirect()->route("licenses.index")->with('error', trans('admin/licenses/message.checkout.error'));
     }
 
 

From efd71f8bfe61456da9f656767685bd390713e4c5 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 04:53:09 -0700
Subject: [PATCH 03/13] For #3998 - Disable CSP if debug=true

To avoid all the nonce hell from debugbar
---
 app/Http/Middleware/ContentSecurityPolicyHeader.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php
index a85c430e63..dd0d39cf36 100644
--- a/app/Http/Middleware/ContentSecurityPolicyHeader.php
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@@ -14,7 +14,7 @@ class ContentSecurityPolicyHeader
      */
     public function handle($request, Closure $next)
     {
-        if (config('app.disable_csp')=='true') {
+        if ((config('app.debug')=='true')  || (config('app.disable_csp')=='true')) {
             $response = $next($request);
             return $response;
         }

From b8ed6a53b6f61313f53ab3cfe319b937344aa16d Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 04:53:24 -0700
Subject: [PATCH 04/13] For #3998 - Added nonce to all.js

---
 resources/views/layouts/default.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php
index d7aa31653f..e6014512f6 100644
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@@ -661,7 +661,7 @@
 
 
 
-    <script src="{{ url(mix('js/dist/all.js')) }}"></script>
+    <script src="{{ url(mix('js/dist/all.js')) }}" nonce="{{ csrf_token() }}"></script>
     <script nonce="{{ csrf_token() }}">
         $(function () {
             var datepicker = $.fn.datepicker.noConflict(); // return $.fn.datepicker to previously assigned value

From b9e79c27a85ffb7c88885ba99b68c136ded3ddb3 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 05:49:26 -0700
Subject: [PATCH 05/13] Added nonce to basic blade

---
 resources/views/layouts/setup.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/layouts/setup.blade.php b/resources/views/layouts/setup.blade.php
index 90fdd93833..258ba34a72 100644
--- a/resources/views/layouts/setup.blade.php
+++ b/resources/views/layouts/setup.blade.php
@@ -118,7 +118,7 @@
                   </div>
               </div>
           </div>
-          <script src="{{ url(mix('js/dist/all.js')) }}"></script>
+          <script src="{{ url(mix('js/dist/all.js')) }}" nonce="{{ csrf_token() }}"></script>
 
         <script nonce="{{ csrf_token() }}">
             $(function () {

From fe1975067a03de8ef2e39ed65ee81f03765768b4 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 12:03:02 -0700
Subject: [PATCH 06/13] Hopefully clearer status label meta info

---
 app/Http/Transformers/AssetsTransformer.php   |  2 +-
 app/Presenters/AssetPresenter.php             | 21 ++++++++++++++++++-
 resources/views/hardware/view.blade.php       |  4 ++--
 .../views/partials/bootstrap-table.blade.php  |  4 ++--
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/app/Http/Transformers/AssetsTransformer.php b/app/Http/Transformers/AssetsTransformer.php
index adcbfafe9a..ea42b51d76 100644
--- a/app/Http/Transformers/AssetsTransformer.php
+++ b/app/Http/Transformers/AssetsTransformer.php
@@ -34,7 +34,7 @@ class AssetsTransformer
             'status_label' => ($asset->assetstatus) ? [
                 'id' => (int) $asset->assetstatus->id,
                 'name'=> e($asset->assetstatus->name),
-                'status_type' =>  e($asset->assetstatus->getStatuslabelType()),
+                'status_meta' =>  e($asset->present()->statusMeta),
             ] : null,
             'category' => ($asset->model->category) ? [
                 'id' => (int) $asset->model->category->id,
diff --git a/app/Presenters/AssetPresenter.php b/app/Presenters/AssetPresenter.php
index 87d4469b50..814a5c5737 100644
--- a/app/Presenters/AssetPresenter.php
+++ b/app/Presenters/AssetPresenter.php
@@ -325,13 +325,32 @@ class AssetPresenter extends Presenter
         return $interval;
     }
 
+    /**
+     * @return string
+     * This handles the status label "meta" status of "deployed" if
+     * it's assigned. Should maybe deprecate.
+     */
+    public function statusMeta()
+    {
+        if ($this->model->assignedTo) {
+            return strtolower(trans('general.deployed'));
+        }
+        return $this->model->assetstatus->getStatuslabelType();
+    }
+
+    /**
+     * @return string
+     * This handles the status label "meta" status of "deployed" if
+     * it's assigned. Should maybe deprecate.
+     */
     public function statusText()
     {
         if ($this->model->assignedTo) {
-            return trans('general.deployed');
+            return strtolower(trans('general.deployed'));
         }
         return $this->model->assetstatus->name;
     }
+
     /**
      * Date the warantee expires.
      * @return false|string
diff --git a/resources/views/hardware/view.blade.php b/resources/views/hardware/view.blade.php
index fcf22ee6d3..45f5beec95 100755
--- a/resources/views/hardware/view.blade.php
+++ b/resources/views/hardware/view.blade.php
@@ -87,8 +87,8 @@
                             &nbsp; &nbsp;</span>
                         </span>
                         @endif
-                        <a href="{{ route('statuslabels.show', $asset->assetstatus->id) }}">{{ $asset->present()->statusText() }}</a>
-                          <label class="label label-default">{{ $asset->assetstatus->getStatuslabelType() }}</label>
+                        <a href="{{ route('statuslabels.show', $asset->assetstatus->id) }}">{{ $asset->assetstatus->name }}</a>
+                          <label class="label label-default">{{ $asset->present()->statusMeta }}</label>
                       </td>
                     </tr>
                     @endif
diff --git a/resources/views/partials/bootstrap-table.blade.php b/resources/views/partials/bootstrap-table.blade.php
index effa640383..46071360ab 100644
--- a/resources/views/partials/bootstrap-table.blade.php
+++ b/resources/views/partials/bootstrap-table.blade.php
@@ -139,8 +139,8 @@ $('.snipe-table').bootstrapTable({
     // Use this when we're introspecting into a column object and need to link
     function genericColumnObjLinkFormatter(destination) {
         return function (value,row) {
-            if ((value) && (value.status_type)) {
-                return '<a href="{{ url('/') }}/' + destination + '/' + value.id + '"> ' + value.name + '</a> ' + '<label class="label label-default">'+ value.status_type + '</label>';
+            if ((value) && (value.status_meta)) {
+                return '<label class="label label-default">'+ value.status_meta + '</label> <a href="{{ url('/') }}/' + destination + '/' + value.id + '"> ' + value.name + '</a> ';
             } else if ((value) && (value.name)) {
                 return '<a href="{{ url('/') }}/' + destination + '/' + value.id + '"> ' + value.name + '</a>';
             }

From 4eda2a2f9699c3ab3bed7a5f8600dab82966f779 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 12:03:12 -0700
Subject: [PATCH 07/13] *ahem*

---
 app/Presenters/LicensePresenter.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Presenters/LicensePresenter.php b/app/Presenters/LicensePresenter.php
index 5bbdb16cca..c41dc99200 100644
--- a/app/Presenters/LicensePresenter.php
+++ b/app/Presenters/LicensePresenter.php
@@ -152,7 +152,7 @@ class LicensePresenter extends Presenter
      */
     public function fullName()
     {
-        return 'poop';
+        return $this->name;
     }
 
 

From 5223ec1dbb4c76e4cc83df75dc52bcd7a33e534d Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 12:13:15 -0700
Subject: [PATCH 08/13] Clearer status listing in the sidenav

---
 resources/views/layouts/default.blade.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php
index e6014512f6..d3cc7f6752 100644
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@@ -382,17 +382,17 @@
 
 
                   <li{!! (Request::query('status') == 'Deployed' ? ' class="active"' : '') !!}>
-                    <a href="{{ url('hardware?status=Deployed') }}"><i class="fa fa-circle-o text-blue"></i>@lang('general.deployed')
+                    <a href="{{ url('hardware?status=Deployed') }}"><i class="fa fa-circle-o text-blue"></i>All  @lang('general.deployed')
                     </a>
                   </li>
                   <li{!! (Request::query('status') == 'RTD' ? ' class="active"' : '') !!}>
                     <a href="{{ url('hardware?status=RTD') }}">
                         <i class="fa fa-circle-o text-green"></i>
-                    @lang('general.ready_to_deploy')</a>
+                        All  @lang('general.ready_to_deploy')</a>
                   </li>
-                  <li{!! (Request::query('status') == 'Pending' ? ' class="active"' : '') !!}><a href="{{ url('hardware?status=Pending') }}"><i class="fa fa-circle-o text-orange"></i>@lang('general.pending')</a></li>
-                  <li{!! (Request::query('status') == 'Undeployable' ? ' class="active"' : '') !!} ><a href="{{ url('hardware?status=Undeployable') }}"><i class="fa fa-times text-red"></i>@lang('general.undeployable')</a></li>
-                  <li{!! (Request::query('status') == 'Archived' ? ' class="active"' : '') !!}><a href="{{ url('hardware?status=Archived') }}"><i class="fa fa-times text-red"></i>@lang('admin/hardware/general.archived')</a></li>
+                  <li{!! (Request::query('status') == 'Pending' ? ' class="active"' : '') !!}><a href="{{ url('hardware?status=Pending') }}"><i class="fa fa-circle-o text-orange"></i>All  @lang('general.pending')</a></li>
+                  <li{!! (Request::query('status') == 'Undeployable' ? ' class="active"' : '') !!} ><a href="{{ url('hardware?status=Undeployable') }}"><i class="fa fa-times text-red"></i>All @lang('general.undeployable')</a></li>
+                  <li{!! (Request::query('status') == 'Archived' ? ' class="active"' : '') !!}><a href="{{ url('hardware?status=Archived') }}"><i class="fa fa-times text-red"></i>All  @lang('admin/hardware/general.archived')</a></li>
                     <li{!! (Request::query('status') == 'Requestable' ? ' class="active"' : '') !!}><a href="{{ url('hardware?status=Requestable') }}"><i class="fa fa-check text-blue"></i> @lang('admin/hardware/general.requestable')</a></li>
 
                   <li class="divider">&nbsp;</li>

From a0bd9bce39d2b88b49282329155bb773086b83a7 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 14:00:05 -0700
Subject: [PATCH 09/13] Commented out security headers - might req apache
 module

---
 public/.htaccess | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/public/.htaccess b/public/.htaccess
index 513d3714c4..0fc54f004b 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -25,9 +25,9 @@
     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
     # Security Headers
-    Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
-    Header set X-XSS-Protection "1; mode=block"
-    Header set X-Content-Type-Options nosniff
-    Header set X-Permitted-Cross-Domain-Policies "master-only"
+    # Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
+    # Header set X-XSS-Protection "1; mode=block"
+    # Header set X-Content-Type-Options nosniff
+    # Header set X-Permitted-Cross-Domain-Policies "master-only"
 
 </IfModule>

From 2ea91266c0f7955caad925b4d2907f1305a77030 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 14:26:00 -0700
Subject: [PATCH 10/13] Init lightbox

---
 resources/views/layouts/default.blade.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php
index d3cc7f6752..124bc101c5 100644
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@@ -681,6 +681,10 @@
         $(function () {
             $('[data-toggle="tooltip"]').tooltip();
         })
+        $(document).on('click', '[data-toggle="lightbox"]', function(event) {
+            event.preventDefault();
+            $(this).ekkoLightbox();
+        });
     </script>
 
     @if ((Session::get('topsearch')=='true') || (Request::is('/')))

From 43ff66e4d993380f17429f5374b98df468bdd36c Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 15:24:33 -0700
Subject: [PATCH 11/13] More UI tweaking for meta statuses

---
 app/Http/Transformers/AssetsTransformer.php   |  2 +-
 app/Presenters/AssetPresenter.php             |  2 +-
 .../views/partials/bootstrap-table.blade.php  | 24 ++++++++++++++++++-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/app/Http/Transformers/AssetsTransformer.php b/app/Http/Transformers/AssetsTransformer.php
index ea42b51d76..92ba702a15 100644
--- a/app/Http/Transformers/AssetsTransformer.php
+++ b/app/Http/Transformers/AssetsTransformer.php
@@ -33,7 +33,7 @@ class AssetsTransformer
             'model_number' => ($asset->model) ? e($asset->model->model_number) : null,
             'status_label' => ($asset->assetstatus) ? [
                 'id' => (int) $asset->assetstatus->id,
-                'name'=> e($asset->assetstatus->name),
+                'name'=> e($asset->present()->statusText),
                 'status_meta' =>  e($asset->present()->statusMeta),
             ] : null,
             'category' => ($asset->model->category) ? [
diff --git a/app/Presenters/AssetPresenter.php b/app/Presenters/AssetPresenter.php
index 814a5c5737..53188aa237 100644
--- a/app/Presenters/AssetPresenter.php
+++ b/app/Presenters/AssetPresenter.php
@@ -346,7 +346,7 @@ class AssetPresenter extends Presenter
     public function statusText()
     {
         if ($this->model->assignedTo) {
-            return strtolower(trans('general.deployed'));
+            return trans('general.deployed');
         }
         return $this->model->assetstatus->name;
     }
diff --git a/resources/views/partials/bootstrap-table.blade.php b/resources/views/partials/bootstrap-table.blade.php
index 46071360ab..c89ba826e8 100644
--- a/resources/views/partials/bootstrap-table.blade.php
+++ b/resources/views/partials/bootstrap-table.blade.php
@@ -140,7 +140,29 @@ $('.snipe-table').bootstrapTable({
     function genericColumnObjLinkFormatter(destination) {
         return function (value,row) {
             if ((value) && (value.status_meta)) {
-                return '<label class="label label-default">'+ value.status_meta + '</label> <a href="{{ url('/') }}/' + destination + '/' + value.id + '"> ' + value.name + '</a> ';
+
+                var text_color;
+                var icon_style;
+
+                switch (value.status_meta) {
+                    case 'deployed':
+                        text_color = 'blue';
+                        icon_style = 'fa-circle';
+                    break;
+                    case 'deployable':
+                        text_color = 'green';
+                        icon_style = 'fa-circle';
+                    break;
+                    case 'pending':
+                        text_color = 'orange';
+                        icon_style = 'fa-circle';
+                        break;
+                    default:
+                        text_color = 'red';
+                        icon_style = 'fa-times';
+                }
+
+                return '<a href="{{ url('/') }}/' + destination + '/' + value.id + '" data-tooltip="true" title="'+ value.status_meta + '"> <i class="fa ' + icon_style + ' text-' + text_color + '"></i> ' + value.name + '</a> ';
             } else if ((value) && (value.name)) {
                 return '<a href="{{ url('/') }}/' + destination + '/' + value.id + '"> ' + value.name + '</a>';
             }

From 314d6fa4c54d0e918bc6d71ac03b89f63fb778fd Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 15:55:58 -0700
Subject: [PATCH 12/13] Expanded issue template

---
 .github/ISSUE_TEMPLATE.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index 9507443700..0bd56483b8 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -12,20 +12,25 @@
 
 #### Please confirm you have done the following before posting your bug report:
 
-- [ ] I have enabled debug mode
+- [ ] I have [enabled debug mode](https://snipe-it.readme.io/docs/getting-help#section-step-1-enable-debug-mode)
 - [ ] I have read [checked the Common Issues page](https://snipe-it.readme.io/docs/common-issues)
 
 -----
-#### Please provide answers to these questions before posting your bug report:
+#### Provide answers to these questions:
 
+- Is this a fresh install or an upgrade? 
 - Version of Snipe-IT you're running
+- Version of PHP you're running
+- Version of MySQL/MariaDB you're running
 - What OS and web server you're running Snipe-IT on
 - What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)
-- WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error
+- WITH [DEBUG TURNED ON](https://snipe-it.readme.io/docs/getting-help#section-step-1-enable-debug-mode), if you're getting an error in your browser, include that error
 - What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error
 - If a stacktrace is provided in the error, include that too.
-- Any errors that appear in your browser's error console.
+- Any errors that appear in your [browser's error console](https://snipe-it.readme.io/docs/getting-help#section-step-2-enable-your-browsers-error-console).
 - Confirm whether the error is [reproduceable on the demo](https://snipeitapp.com/demo).
-- Include any additional information you can find in `app/storage/logs` and your webserver's logs.
+- Include any [additional information](https://snipe-it.readme.io/docs/getting-help#section-step-3-check-your-app-and-server-logs) you can find in `app/storage/logs` and your webserver's logs.
 - Include what you've done so far in the installation, and if you got any error messages along the way.
 - Indicate whether or not you've manually edited any data directly in the database
+
+**Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket.** It will be next to impossible for us to help you.

From 878bde67ac6cc1106313dd7fb3a8227ecca39e15 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 29 Sep 2017 15:59:04 -0700
Subject: [PATCH 13/13] Few more issue template tweaks

---
 .github/ISSUE_TEMPLATE.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index 0bd56483b8..8da5a4ac22 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -12,7 +12,7 @@
 
 #### Please confirm you have done the following before posting your bug report:
 
-- [ ] I have [enabled debug mode](https://snipe-it.readme.io/docs/getting-help#section-step-1-enable-debug-mode)
+- [ ] I have enabled debug mode 
 - [ ] I have read [checked the Common Issues page](https://snipe-it.readme.io/docs/common-issues)
 
 -----
@@ -24,13 +24,15 @@
 - Version of MySQL/MariaDB you're running
 - What OS and web server you're running Snipe-IT on
 - What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)
-- WITH [DEBUG TURNED ON](https://snipe-it.readme.io/docs/getting-help#section-step-1-enable-debug-mode), if you're getting an error in your browser, include that error
+- WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error
 - What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error
 - If a stacktrace is provided in the error, include that too.
-- Any errors that appear in your [browser's error console](https://snipe-it.readme.io/docs/getting-help#section-step-2-enable-your-browsers-error-console).
-- Confirm whether the error is [reproduceable on the demo](https://snipeitapp.com/demo).
-- Include any [additional information](https://snipe-it.readme.io/docs/getting-help#section-step-3-check-your-app-and-server-logs) you can find in `app/storage/logs` and your webserver's logs.
+- Any errors that appear in your browser's error console.
+- Confirm whether the error is reproduceable on the demo: https://snipeitapp.com/demo.
+- Include any additional information you can find in `app/storage/logs` and your webserver's logs.
 - Include what you've done so far in the installation, and if you got any error messages along the way.
 - Indicate whether or not you've manually edited any data directly in the database
 
-**Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket.** It will be next to impossible for us to help you.
+Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket. It will be next to impossible for us to help you.
+
+https://snipe-it.readme.io/docs/getting-help