mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-25 05:34:06 -08:00
Merge pull request #11842 from snipe/security/license_file_access
Check for `licenses.files` permissions
This commit is contained in:
commit
9369165007
|
@ -135,6 +135,7 @@ class LicenseFilesController extends Controller
|
|||
// the license is valid
|
||||
if (isset($license->id)) {
|
||||
$this->authorize('view', $license);
|
||||
$this->authorize('licenses.files', $license);
|
||||
|
||||
if (! $log = Actionlog::find($fileId)) {
|
||||
return response('No matching record for that asset/file', 500)
|
||||
|
@ -171,6 +172,6 @@ class LicenseFilesController extends Controller
|
|||
}
|
||||
}
|
||||
|
||||
return redirect()->route('license.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
|
||||
return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -42,8 +42,12 @@ class LicensePolicy extends CheckoutablePermissionsPolicy
|
|||
* @param \App\Models\User $user
|
||||
* @return mixed
|
||||
*/
|
||||
public function files(User $user)
|
||||
public function files(User $user, $license = null)
|
||||
{
|
||||
return $user->hasAccess($this->columnName().'.files');
|
||||
if ($user->hasAccess('licenses.files')) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -61,6 +61,11 @@ abstract class SnipePermissionsPolicy
|
|||
return $user->hasAccess($this->columnName().'.view');
|
||||
}
|
||||
|
||||
public function files(User $user, $item = null)
|
||||
{
|
||||
return $user->hasAccess($this->columnName().'.files');
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine whether the user can create accessories.
|
||||
*
|
||||
|
|
|
@ -122,6 +122,13 @@ class AuthServiceProvider extends ServiceProvider
|
|||
});
|
||||
|
||||
|
||||
Gate::define('licenses.files', function ($user) {
|
||||
if ($user->hasAccess('licenses.files')) {
|
||||
return true;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
// -----------------------------------------
|
||||
// Reports
|
||||
// -----------------------------------------
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
return array(
|
||||
|
||||
'does_not_exist' => 'License does not exist.',
|
||||
'does_not_exist' => 'License does not exist or you do not have permission to view it.',
|
||||
'user_does_not_exist' => 'User does not exist.',
|
||||
'asset_does_not_exist' => 'The asset you are trying to associate with this license does not exist.',
|
||||
'owner_doesnt_match_asset' => 'The asset you are trying to associate with this license is owned by somene other than the person selected in the assigned to dropdown.',
|
||||
|
|
|
@ -36,7 +36,8 @@
|
|||
|
||||
</a>
|
||||
</li>
|
||||
|
||||
|
||||
@can('licenses.files', $license)
|
||||
<li>
|
||||
<a href="#files" data-toggle="tab">
|
||||
<span class="hidden-lg hidden-md">
|
||||
|
@ -46,6 +47,7 @@
|
|||
</span>
|
||||
</a>
|
||||
</li>
|
||||
@endcan
|
||||
|
||||
<li>
|
||||
<a href="#history" data-toggle="tab">
|
||||
|
@ -416,7 +418,7 @@
|
|||
</div> <!--/.row-->
|
||||
</div> <!-- /.tab-pane -->
|
||||
|
||||
@can('files', $license)
|
||||
@can('licenses.files', $license)
|
||||
<div class="tab-pane" id="files">
|
||||
<div class="table-responsive">
|
||||
<table
|
||||
|
|
Loading…
Reference in a new issue