DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-03-05 20:52:15 -08:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Merge pull request #13544 from marcusmoore/bug/sc-23675

Browse source 
Fixed user search not adhering to company scoping
This commit is contained in:
snipe 2023-08-30 08:54:41 +01:00 committed by GitHub
parent 22d136df46 806ab2cb9d
commit b109ee281a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/Http/Controllers/Api/UsersController.php
View file

@ -75,7 +75,6 @@ class UsersController extends Controller
])->with('manager', 'groups', 'userloc', 'company', 'department', 'assets', 'licenses', 'accessories', 'consumables', 'createdBy',) ])->with('manager', 'groups', 'userloc', 'company', 'department', 'assets', 'licenses', 'accessories', 'consumables', 'createdBy',)
->withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count'); ->withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count');
$users = Company::scopeCompanyables($users);
if ($request->filled('activated')) { if ($request->filled('activated')) {
@ -271,6 +270,8 @@ class UsersController extends Controller
} elseif (($request->filled('all')) && ($request->input('all') == 'true')) { } elseif (($request->filled('all')) && ($request->input('all') == 'true')) {
$users = $users->withTrashed(); $users = $users->withTrashed();
} }
$users = Company::scopeCompanyables($users);
$total = $users->count(); $total = $users->count();
$users = $users->skip($offset)->take($limit)->get(); $users = $users->skip($offset)->take($limit)->get();

64
tests/Feature/Api/Users/UsersSearchTest.php
View file

@ -2,6 +2,7 @@
namespace Tests\Feature\Api\Users; namespace Tests\Feature\Api\Users;
use App\Models\Company;
use App\Models\User; use App\Models\User;
use Laravel\Passport\Passport; use Laravel\Passport\Passport;
use Tests\Support\InteractsWithSettings; use Tests\Support\InteractsWithSettings;
@ -83,4 +84,67 @@ class UsersSearchTest extends TestCase
'Expected deleted user does not appear in results' 'Expected deleted user does not appear in results'
); );
} }
public function testUsersScopedToCompanyWhenMultipleFullCompanySupportEnabled()
{
$this->settings->enableMultipleFullCompanySupport();
$companyA = Company::factory()
->has(User::factory(['first_name' => 'Company A', 'last_name' => 'User']))
->create();
Company::factory()
->has(User::factory(['first_name' => 'Company B', 'last_name' => 'User']))
->create();
$response = $this->actingAsForApi(User::factory()->for($companyA)->viewUsers()->create())
->getJson(route('api.users.index'))
->assertOk();
$results = collect($response->json('rows'));
$this->assertTrue(
$results->pluck('name')->contains(fn($text) => str_contains($text, 'Company A')),
'User index does not contain expected user'
);
$this->assertFalse(
$results->pluck('name')->contains(fn($text) => str_contains($text, 'Company B')),
'User index contains unexpected user from another company'
);
}
public function testUsersScopedToCompanyDuringSearchWhenMultipleFullCompanySupportEnabled()
{
$this->settings->enableMultipleFullCompanySupport();
$companyA = Company::factory()
->has(User::factory(['first_name' => 'Company A', 'last_name' => 'User']))
->create();
Company::factory()
->has(User::factory(['first_name' => 'Company B', 'last_name' => 'User']))
->create();
$response = $this->actingAsForApi(User::factory()->for($companyA)->viewUsers()->create())
->getJson(route('api.users.index', [
'deleted' => 'false',
'company_id' => null,
'search' => 'user',
'order' => 'asc',
'offset' => '0',
'limit' => '20',
]))
->assertOk();
$results = collect($response->json('rows'));
$this->assertTrue(
$results->pluck('name')->contains(fn($text) => str_contains($text, 'Company A')),
'User index does not contain expected user'
);
$this->assertFalse(
$results->pluck('name')->contains(fn($text) => str_contains($text, 'Company B')),
'User index contains unexpected user from another company'
);
}
} }