From 9618878023f7b2d6fe087062d12bba318b21c55e Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Jul 2018 21:40:33 -0700 Subject: [PATCH] Restrict users asset listing to just assets checked out to users --- app/Http/Controllers/Api/UsersController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php index fd782ba48c..23f9410ed3 100644 --- a/app/Http/Controllers/Api/UsersController.php +++ b/app/Http/Controllers/Api/UsersController.php @@ -292,7 +292,7 @@ class UsersController extends Controller { $this->authorize('view', User::class); $this->authorize('view', Asset::class); - $assets = Asset::where('assigned_to', '=', $id)->with('model')->get(); + $assets = Asset::where('assigned_to', '=', $id)->where('assigned_type', '=', User::class)->with('model')->get(); return (new AssetsTransformer)->transformAssets($assets, $assets->count()); }