From ab5fed09dbe74263ffb92726772463278d0dfa84 Mon Sep 17 00:00:00 2001
From: Marcus Moore <contact@marcusmoore.io>
Date: Thu, 22 Jun 2023 12:36:43 -0700
Subject: [PATCH] Remove scopeCompanyables call from
 AssetsController@requestable

---
 app/Http/Controllers/Api/AssetsController.php |  5 +-
 database/factories/AssetFactory.php           | 10 +++
 .../Api/Assets/RequestableAssetsTest.php      | 81 +++++++++++++++++++
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100644 tests/Feature/Api/Assets/RequestableAssetsTest.php

diff --git a/app/Http/Controllers/Api/AssetsController.php b/app/Http/Controllers/Api/AssetsController.php
index e22a037a89..e3ae9e3445 100644
--- a/app/Http/Controllers/Api/AssetsController.php
+++ b/app/Http/Controllers/Api/AssetsController.php
@@ -1030,9 +1030,10 @@ class AssetsController extends Controller
     {
         $this->authorize('viewRequestable', Asset::class);
 
-        $assets = Company::scopeCompanyables(Asset::select('assets.*'), 'company_id', 'assets')
+        $assets = Asset::select('assets.*')
             ->with('location', 'assetstatus', 'assetlog', 'company', 'defaultLoc','assignedTo',
-                'model.category', 'model.manufacturer', 'model.fieldset', 'supplier')->requestableAssets();
+                'model.category', 'model.manufacturer', 'model.fieldset', 'supplier')
+            ->requestableAssets();
 
         $offset = request('offset', 0);
         $limit = $request->input('limit', 50);
diff --git a/database/factories/AssetFactory.php b/database/factories/AssetFactory.php
index cd3e0f8391..0e0c3931d8 100644
--- a/database/factories/AssetFactory.php
+++ b/database/factories/AssetFactory.php
@@ -328,4 +328,14 @@ class AssetFactory extends Factory
             ];
         });
     }
+
+    public function requestable()
+    {
+        return $this->state(['requestable' => true]);
+    }
+
+    public function nonrequestable()
+    {
+        return $this->state(['requestable' => false]);
+    }
 }
diff --git a/tests/Feature/Api/Assets/RequestableAssetsTest.php b/tests/Feature/Api/Assets/RequestableAssetsTest.php
new file mode 100644
index 0000000000..7c9b4e1204
--- /dev/null
+++ b/tests/Feature/Api/Assets/RequestableAssetsTest.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace Tests\Feature\Api\Assets;
+
+use App\Models\Asset;
+use App\Models\Company;
+use App\Models\User;
+use Laravel\Passport\Passport;
+use Tests\Support\InteractsWithResponses;
+use Tests\Support\InteractsWithSettings;
+use Tests\TestCase;
+
+class RequestableAssetsTest extends TestCase
+{
+    use InteractsWithResponses;
+    use InteractsWithSettings;
+
+    public function testViewingRequestableAssetsRequiresCorrectPermission()
+    {
+        Passport::actingAs(User::factory()->create());
+        $this->getJson(route('api.assets.requestable'))->assertForbidden();
+    }
+
+    public function testReturnsRequestableAssets()
+    {
+        $requestableAsset = Asset::factory()->requestable()->create(['asset_tag' => 'requestable']);
+        $nonRequestableAsset = Asset::factory()->nonrequestable()->create(['asset_tag' => 'non-requestable']);
+
+        Passport::actingAs(User::factory()->viewRequestableAssets()->create());
+        $response = $this->getJson(route('api.assets.requestable'))->assertOk();
+
+        $this->assertResponseContainsInRows($response, $requestableAsset, 'asset_tag');
+        $this->assertResponseDoesNotContainInRows($response, $nonRequestableAsset, 'asset_tag');
+    }
+
+    public function testRequestableAssetsAreScopedToCompanyWhenMultipleCompanySupportEnabled()
+    {
+        [$companyA, $companyB] = Company::factory()->count(2)->create();
+
+        $assetA = Asset::factory()->requestable()->for($companyA)->create(['asset_tag' => '0001']);
+        $assetB = Asset::factory()->requestable()->for($companyB)->create(['asset_tag' => '0002']);
+
+        $superUser = $companyA->users()->save(User::factory()->superuser()->make());
+        $userInCompanyA = $companyA->users()->save(User::factory()->viewRequestableAssets()->make());
+        $userInCompanyB = $companyB->users()->save(User::factory()->viewRequestableAssets()->make());
+
+        $this->settings->disableMultipleFullCompanySupport();
+
+        Passport::actingAs($superUser);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseContainsInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseContainsInRows($response, $assetB, 'asset_tag');
+
+        Passport::actingAs($userInCompanyA);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseContainsInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseContainsInRows($response, $assetB, 'asset_tag');
+
+        Passport::actingAs($userInCompanyB);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseContainsInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseContainsInRows($response, $assetB, 'asset_tag');
+
+        $this->settings->enableMultipleFullCompanySupport();
+
+        Passport::actingAs($superUser);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseContainsInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseContainsInRows($response, $assetB, 'asset_tag');
+
+        Passport::actingAs($userInCompanyA);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseContainsInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseDoesNotContainInRows($response, $assetB, 'asset_tag');
+
+        Passport::actingAs($userInCompanyB);
+        $response = $this->getJson(route('api.assets.requestable'));
+        $this->assertResponseDoesNotContainInRows($response, $assetA, 'asset_tag');
+        $this->assertResponseContainsInRows($response, $assetB, 'asset_tag');
+    }
+}