Merge pull request #11842 from snipe/security/license_file_access

Check for `licenses.files` permissions
This commit is contained in:
snipe 2022-09-16 14:19:37 -07:00 committed by GitHub
commit 9369165007
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 25 additions and 6 deletions

View file

@ -135,6 +135,7 @@ class LicenseFilesController extends Controller
// the license is valid
if (isset($license->id)) {
$this->authorize('view', $license);
$this->authorize('licenses.files', $license);
if (! $log = Actionlog::find($fileId)) {
return response('No matching record for that asset/file', 500)
@ -171,6 +172,6 @@ class LicenseFilesController extends Controller
}
}
return redirect()->route('license.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
}
}

View file

@ -42,8 +42,12 @@ class LicensePolicy extends CheckoutablePermissionsPolicy
* @param \App\Models\User $user
* @return mixed
*/
public function files(User $user)
public function files(User $user, $license = null)
{
return $user->hasAccess($this->columnName().'.files');
if ($user->hasAccess('licenses.files')) {
return true;
}
return false;
}
}

View file

@ -61,6 +61,11 @@ abstract class SnipePermissionsPolicy
return $user->hasAccess($this->columnName().'.view');
}
public function files(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.files');
}
/**
* Determine whether the user can create accessories.
*

View file

@ -122,6 +122,13 @@ class AuthServiceProvider extends ServiceProvider
});
Gate::define('licenses.files', function ($user) {
if ($user->hasAccess('licenses.files')) {
return true;
}
});
// -----------------------------------------
// Reports
// -----------------------------------------

View file

@ -2,7 +2,7 @@
return array(
'does_not_exist' => 'License does not exist.',
'does_not_exist' => 'License does not exist or you do not have permission to view it.',
'user_does_not_exist' => 'User does not exist.',
'asset_does_not_exist' => 'The asset you are trying to associate with this license does not exist.',
'owner_doesnt_match_asset' => 'The asset you are trying to associate with this license is owned by somene other than the person selected in the assigned to dropdown.',

View file

@ -36,7 +36,8 @@
</a>
</li>
@can('licenses.files', $license)
<li>
<a href="#files" data-toggle="tab">
<span class="hidden-lg hidden-md">
@ -46,6 +47,7 @@
</span>
</a>
</li>
@endcan
<li>
<a href="#history" data-toggle="tab">
@ -416,7 +418,7 @@
</div> <!--/.row-->
</div> <!-- /.tab-pane -->
@can('files', $license)
@can('licenses.files', $license)
<div class="tab-pane" id="files">
<div class="table-responsive">
<table