From aafa1ab70e8829e9e8c080b4a7c05276ab14dadb Mon Sep 17 00:00:00 2001 From: Marcus Moore Date: Tue, 29 Aug 2023 16:15:13 -0700 Subject: [PATCH 1/2] Add failing test --- tests/Feature/Api/Users/UsersSearchTest.php | 64 +++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/tests/Feature/Api/Users/UsersSearchTest.php b/tests/Feature/Api/Users/UsersSearchTest.php index f14d704b0f..723a115db1 100644 --- a/tests/Feature/Api/Users/UsersSearchTest.php +++ b/tests/Feature/Api/Users/UsersSearchTest.php @@ -2,6 +2,7 @@ namespace Tests\Feature\Api\Users; +use App\Models\Company; use App\Models\User; use Laravel\Passport\Passport; use Tests\Support\InteractsWithSettings; @@ -83,4 +84,67 @@ class UsersSearchTest extends TestCase 'Expected deleted user does not appear in results' ); } + + public function testUsersScopedToCompanyWhenMultipleFullCompanySupportEnabled() + { + $this->settings->enableMultipleFullCompanySupport(); + + $companyA = Company::factory() + ->has(User::factory(['first_name' => 'Company A', 'last_name' => 'User'])) + ->create(); + + Company::factory() + ->has(User::factory(['first_name' => 'Company B', 'last_name' => 'User'])) + ->create(); + + $response = $this->actingAsForApi(User::factory()->for($companyA)->viewUsers()->create()) + ->getJson(route('api.users.index')) + ->assertOk(); + + $results = collect($response->json('rows')); + + $this->assertTrue( + $results->pluck('name')->contains(fn($text) => str_contains($text, 'Company A')), + 'User index does not contain expected user' + ); + $this->assertFalse( + $results->pluck('name')->contains(fn($text) => str_contains($text, 'Company B')), + 'User index contains unexpected user from another company' + ); + } + + public function testUsersScopedToCompanyDuringSearchWhenMultipleFullCompanySupportEnabled() + { + $this->settings->enableMultipleFullCompanySupport(); + + $companyA = Company::factory() + ->has(User::factory(['first_name' => 'Company A', 'last_name' => 'User'])) + ->create(); + + Company::factory() + ->has(User::factory(['first_name' => 'Company B', 'last_name' => 'User'])) + ->create(); + + $response = $this->actingAsForApi(User::factory()->for($companyA)->viewUsers()->create()) + ->getJson(route('api.users.index', [ + 'deleted' => 'false', + 'company_id' => null, + 'search' => 'user', + 'order' => 'asc', + 'offset' => '0', + 'limit' => '20', + ])) + ->assertOk(); + + $results = collect($response->json('rows')); + + $this->assertTrue( + $results->pluck('name')->contains(fn($text) => str_contains($text, 'Company A')), + 'User index does not contain expected user' + ); + $this->assertFalse( + $results->pluck('name')->contains(fn($text) => str_contains($text, 'Company B')), + 'User index contains unexpected user from another company' + ); + } } From 806ab2cb9d771d49a3c092d4406e4e29cc3724df Mon Sep 17 00:00:00 2001 From: Marcus Moore Date: Tue, 29 Aug 2023 16:17:29 -0700 Subject: [PATCH 2/2] Ensure users are scoped by company in index method --- app/Http/Controllers/Api/UsersController.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php index 7b22f3af4b..3b76317327 100644 --- a/app/Http/Controllers/Api/UsersController.php +++ b/app/Http/Controllers/Api/UsersController.php @@ -75,7 +75,6 @@ class UsersController extends Controller ])->with('manager', 'groups', 'userloc', 'company', 'department', 'assets', 'licenses', 'accessories', 'consumables', 'createdBy',) ->withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count'); - $users = Company::scopeCompanyables($users); if ($request->filled('activated')) { @@ -271,6 +270,8 @@ class UsersController extends Controller } elseif (($request->filled('all')) && ($request->input('all') == 'true')) { $users = $users->withTrashed(); } + + $users = Company::scopeCompanyables($users); $total = $users->count(); $users = $users->skip($offset)->take($limit)->get();