Fixes/import permissions mask (#6826)

* Check for empty headers in import

* Added import permission

* Fixed model path in docblock

* Added import gate to default blade

* Check if the user is an admin OR idf they have import permissions

* Walked back that admin permission

Since admins are bound by full company support, it makes less sense to let admins have this permission by default, versus having them specifically designated to the import permission

app/Http/Controllers/Api/ImportController.php

@@ -25,7 +25,7 @@ class ImportController extends Controller
      */
     public function index()
     {
-        //
+        $this->authorize('import');
         $imports = Import::latest()->get();
         return (new ImportsTransformer)->transformImports($imports);
 
@@ -39,10 +39,8 @@ class ImportController extends Controller
      */
     public function store()
     {
-        //
+        $this->authorize('import');
-        if (!Company::isCurrentUserAuthorized()) {
+        if (!config('app.lock_passwords')) {
-            return redirect()->route('hardware.index')->with('error', trans('general.insufficient_permissions'));
-        } elseif (!config('app.lock_passwords')) {
             $files = Input::file('files');
             $path = config('app.private_uploads').'/imports';
             $results = [];
@@ -119,7 +117,7 @@ class ImportController extends Controller
      */
     public function process(ItemImportRequest $request, $import_id)
     {
-        $this->authorize('create', Asset::class);
+        $this->authorize('import');
         // Run a backup immediately before processing
         Artisan::call('backup:run');
         $errors = $request->import(Import::find($import_id));
@@ -162,7 +160,7 @@ class ImportController extends Controller
      */
     public function destroy($import_id)
     {
-        $this->authorize('create', Asset::class);
+        $this->authorize('import');
         $import = Import::find($import_id);
         try {
             unlink(config('app.private_uploads').'/imports/'.$import->file_path);

app/Http/Controllers/ImportsController.php

@@ -12,7 +12,7 @@ class ImportsController extends Controller
 {
     public function index()
     {
-        $this->authorize('create', Asset::class);
+        $this->authorize('import');
         $imports = Import::latest()->get();
         $imports = (new ImportsTransformer)->transformImports($imports);
         return view('importer/import')->with('imports', $imports);

app/Http/Requests/ItemImportRequest.php

@@ -43,6 +43,20 @@ class ItemImportRequest extends FormRequest
         $import->save();
         $fieldMappings=[];
         if ($import->field_map) {
+
+            // This checks to make sure the field header has been mapped.
+            // If it hasn't been, it will throw an array_flip error
+            foreach ($import->field_map as $field => $fieldValue) {
+                $errorMessage = null;
+
+                if(is_null($fieldValue)){
+                    $errorMessage = 'All import fields must be mapped.';
+                    $this->errorCallback($import, $field, $errorMessage);
+
+                    return $this->errors;
+                }
+            }
+
             // We submit as csv field: column, but the importer is happier if we flip it here.
             $fieldMappings = array_change_key_case(array_flip($import->field_map), CASE_LOWER);
                         // dd($fieldMappings);

app/Policies/SnipePermissionsPolicy.php

@@ -53,7 +53,7 @@ abstract class SnipePermissionsPolicy
     /**
      * Determine whether the user can view the accessory.
      *
-     * @param  \App\User  $user
+     * @param  \App\Models\User  $user
      * @return mixed
      */
     public function view(User $user, $item = null)
@@ -64,7 +64,7 @@ abstract class SnipePermissionsPolicy
     /**
      * Determine whether the user can create accessories.
      *
-     * @param  \App\User  $user
+     * @param  \App\Models\User  $user
      * @return mixed
      */
     public function create(User $user)
@@ -75,7 +75,7 @@ abstract class SnipePermissionsPolicy
     /**
      * Determine whether the user can update the accessory.
      *
-     * @param  \App\User  $user
+     * @param  \App\Models\User  $user
      * @return mixed
      */
     public function update(User $user, $item = null)
@@ -86,7 +86,7 @@ abstract class SnipePermissionsPolicy
     /**
      * Determine whether the user can delete the accessory.
      *
-     * @param  \App\User  $user
+     * @param  \App\Models\User  $user
      * @return mixed
      */
     public function delete(User $user, $item = null)
@@ -97,11 +97,13 @@ abstract class SnipePermissionsPolicy
      /**
      * Determine whether the user can manage the accessory.
      *
-     * @param  \App\User  $user
+     * @param  \App\Models\User  $user
      * @return mixed
      */
     public function manage(User $user, $item = null)
     {
         return $user->hasAccess($this->columnName().'.edit');
     }
+
+
 }

app/Providers/AuthServiceProvider.php

@@ -113,6 +113,14 @@ class AuthServiceProvider extends ServiceProvider
         });
 
 
+        // Can the user import CSVs?
+        Gate::define('import', function ($user) {
+            if ($user->hasAccess('import') ) {
+                return true;
+            }
+        });
+
+
         # -----------------------------------------
         # Reports
         # -----------------------------------------

config/permissions.php

@@ -27,6 +27,15 @@ return array(
         )
     ),
 
+    'CSV Import' => array(
+        array(
+            'permission' => 'import',
+            'label'      => '',
+            'note'       => 'This will allow users to import even if access to users, assets, etc is denied elsewhere.',
+            'display'    => true,
+        )
+    ),
+
     'Reports' => array(
         array(
             'permission' => 'reports.view',

resources/views/layouts/default.blade.php

@@ -520,7 +520,7 @@
                   </a>
             </li>
             @endcan
-            @can('create', \App\Models\Asset::class)
+            @can('import')
                 <li{!! (Request::is('import/*') ? ' class="active"' : '') !!}>
                     <a href="{{ route('imports.index') }}">
                         <i class="fa fa-cloud-download"></i>