From dcab1381e7ee0b7fd1df3a34750dbff4b79185b2 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 16 Sep 2022 14:00:27 -0700
Subject: [PATCH 1/2] Check for licenses.files permissions

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Licenses/LicenseFilesController.php | 3 ++-
 app/Policies/LicensePolicy.php                           | 8 ++++++--
 app/Policies/SnipePermissionsPolicy.php                  | 5 +++++
 app/Providers/AuthServiceProvider.php                    | 7 +++++++
 resources/lang/en/admin/licenses/message.php             | 2 +-
 resources/views/licenses/view.blade.php                  | 6 ++++--
 6 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/Licenses/LicenseFilesController.php b/app/Http/Controllers/Licenses/LicenseFilesController.php
index 81a2f26ede..db414edebf 100644
--- a/app/Http/Controllers/Licenses/LicenseFilesController.php
+++ b/app/Http/Controllers/Licenses/LicenseFilesController.php
@@ -135,6 +135,7 @@ class LicenseFilesController extends Controller
         // the license is valid
         if (isset($license->id)) {
             $this->authorize('view', $license);
+            $this->authorize('licenses.files', $license);
 
             if (! $log = Actionlog::find($fileId)) {
                 return response('No matching record for that asset/file', 500)
@@ -171,6 +172,6 @@ class LicenseFilesController extends Controller
             }
         }
 
-        return redirect()->route('license.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
+        return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId]));
     }
 }
diff --git a/app/Policies/LicensePolicy.php b/app/Policies/LicensePolicy.php
index 7a92b5b7de..3f2f780d9b 100644
--- a/app/Policies/LicensePolicy.php
+++ b/app/Policies/LicensePolicy.php
@@ -42,8 +42,12 @@ class LicensePolicy extends CheckoutablePermissionsPolicy
      * @param  \App\Models\User  $user
      * @return mixed
      */
-    public function files(User $user)
+    public function viewFiles(User $user)
     {
-        return $user->hasAccess($this->columnName().'.files');
+        if ($user->hasAccess('licenses.files'))  {
+            return true;
+        }
+        return false;
+
     }
 }
diff --git a/app/Policies/SnipePermissionsPolicy.php b/app/Policies/SnipePermissionsPolicy.php
index 703385ec99..d4f2d88ccd 100644
--- a/app/Policies/SnipePermissionsPolicy.php
+++ b/app/Policies/SnipePermissionsPolicy.php
@@ -61,6 +61,11 @@ abstract class SnipePermissionsPolicy
         return $user->hasAccess($this->columnName().'.view');
     }
 
+    public function files(User $user, $item = null)
+    {
+        return $user->hasAccess($this->columnName().'.files');
+    }
+
     /**
      * Determine whether the user can create accessories.
      *
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index ac466d0ca9..7541e39919 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -122,6 +122,13 @@ class AuthServiceProvider extends ServiceProvider
         });
 
 
+        Gate::define('licenses.files', function ($user) {
+            if ($user->hasAccess('licenses.files')) {
+                return true;
+            }
+        });
+
+
         // -----------------------------------------
         // Reports
         // -----------------------------------------
diff --git a/resources/lang/en/admin/licenses/message.php b/resources/lang/en/admin/licenses/message.php
index 87a7c3d0b9..dd7e54dea4 100644
--- a/resources/lang/en/admin/licenses/message.php
+++ b/resources/lang/en/admin/licenses/message.php
@@ -2,7 +2,7 @@
 
 return array(
 
-    'does_not_exist' => 'License does not exist.',
+    'does_not_exist' => 'License does not exist or you do not have permission to view it.',
     'user_does_not_exist' => 'User does not exist.',
     'asset_does_not_exist' 	=> 'The asset you are trying to associate with this license does not exist.',
     'owner_doesnt_match_asset' => 'The asset you are trying to associate with this license is owned by somene other than the person selected in the assigned to dropdown.',
diff --git a/resources/views/licenses/view.blade.php b/resources/views/licenses/view.blade.php
index 1f6b085a47..d0623cf405 100755
--- a/resources/views/licenses/view.blade.php
+++ b/resources/views/licenses/view.blade.php
@@ -36,7 +36,8 @@
 
             </a>
         </li>
-        
+
+        @can('licenses.files', $license)
         <li>
           <a href="#files" data-toggle="tab">
             <span class="hidden-lg hidden-md">
@@ -46,6 +47,7 @@
             </span>
           </a>
         </li>
+        @endcan
 
         <li>
           <a href="#history" data-toggle="tab">
@@ -416,7 +418,7 @@
           </div> <!--/.row-->
         </div> <!-- /.tab-pane -->
 
-        @can('files', $license)
+        @can('licenses.files', $license)
         <div class="tab-pane" id="files">
           <div class="table-responsive">
             <table

From f75d348dc0e63edc15b3bd9f1cca7c02ea66aa30 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 16 Sep 2022 14:06:46 -0700
Subject: [PATCH 2/2] Fixed license policy method

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Policies/LicensePolicy.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Policies/LicensePolicy.php b/app/Policies/LicensePolicy.php
index 3f2f780d9b..544835c3b8 100644
--- a/app/Policies/LicensePolicy.php
+++ b/app/Policies/LicensePolicy.php
@@ -42,7 +42,7 @@ class LicensePolicy extends CheckoutablePermissionsPolicy
      * @param  \App\Models\User  $user
      * @return mixed
      */
-    public function viewFiles(User $user)
+    public function files(User $user, $license = null)
     {
         if ($user->hasAccess('licenses.files'))  {
             return true;