mirror of
https://github.com/snipe/snipe-it.git
synced 2025-01-12 06:17:28 -08:00
Merge pull request #15284 from spencerrlongg/bug/sc-26584
[Multi-Company] Fixes Users Being Moved With Items Still Assigned
This commit is contained in:
commit
c197644ba7
|
@ -427,13 +427,10 @@ class UsersController extends Controller
|
||||||
* @param \Illuminate\Http\Request $request
|
* @param \Illuminate\Http\Request $request
|
||||||
* @param int $id
|
* @param int $id
|
||||||
*/
|
*/
|
||||||
public function update(SaveUserRequest $request, $id) : JsonResponse
|
public function update(SaveUserRequest $request, User $user): JsonResponse
|
||||||
{
|
{
|
||||||
$this->authorize('update', User::class);
|
$this->authorize('update', User::class);
|
||||||
|
|
||||||
if ($user = User::find($id)) {
|
|
||||||
|
|
||||||
|
|
||||||
$this->authorize('update', $user);
|
$this->authorize('update', $user);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -443,12 +440,10 @@ class UsersController extends Controller
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
if ((($user->id == 1) || ($user->id == 2)) && (config('app.lock_passwords'))) {
|
||||||
if ((($id == 1) || ($id == 2)) && (config('app.lock_passwords'))) {
|
|
||||||
return response()->json(Helper::formatStandardApiResponse('error', null, 'Permission denied. You cannot update user information via API on the demo.'));
|
return response()->json(Helper::formatStandardApiResponse('error', null, 'Permission denied. You cannot update user information via API on the demo.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
$user->fill($request->all());
|
$user->fill($request->all());
|
||||||
|
|
||||||
if ($user->id == $request->input('manager_id')) {
|
if ($user->id == $request->input('manager_id')) {
|
||||||
|
@ -473,16 +468,13 @@ class UsersController extends Controller
|
||||||
$user->permissions = $permissions_array;
|
$user->permissions = $permissions_array;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Update the location of any assets checked out to this user
|
// Update the location of any assets checked out to this user
|
||||||
Asset::where('assigned_type', User::class)
|
Asset::where('assigned_type', User::class)
|
||||||
->where('assigned_to', $user->id)->update(['location_id' => $request->input('location_id', null)]);
|
->where('assigned_to', $user->id)->update(['location_id' => $request->input('location_id', null)]);
|
||||||
|
|
||||||
|
|
||||||
app('App\Http\Requests\ImageUploadRequest')->handleImages($user, 600, 'image', 'avatars', 'avatar');
|
app('App\Http\Requests\ImageUploadRequest')->handleImages($user, 600, 'image', 'avatars', 'avatar');
|
||||||
|
|
||||||
if ($user->save()) {
|
if ($user->save()) {
|
||||||
|
|
||||||
// Check if the request has groups passed and has a value, AND that the user us a superuser
|
// Check if the request has groups passed and has a value, AND that the user us a superuser
|
||||||
if (($request->has('groups')) && (auth()->user()->isSuperUser())) {
|
if (($request->has('groups')) && (auth()->user()->isSuperUser())) {
|
||||||
|
|
||||||
|
@ -496,20 +488,12 @@ class UsersController extends Controller
|
||||||
|
|
||||||
// Sync the groups since the user is a superuser and the groups pass validation
|
// Sync the groups since the user is a superuser and the groups pass validation
|
||||||
$user->groups()->sync($request->input('groups'));
|
$user->groups()->sync($request->input('groups'));
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return response()->json(Helper::formatStandardApiResponse('success', (new UsersTransformer)->transformUser($user), trans('admin/users/message.success.update')));
|
return response()->json(Helper::formatStandardApiResponse('success', (new UsersTransformer)->transformUser($user), trans('admin/users/message.success.update')));
|
||||||
}
|
}
|
||||||
|
|
||||||
return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
|
return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
|
||||||
}
|
}
|
||||||
|
|
||||||
return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.user_not_found', compact('id'))));
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove the specified resource from storage.
|
* Remove the specified resource from storage.
|
||||||
*
|
*
|
||||||
|
|
|
@ -186,7 +186,7 @@ class UsersController extends Controller
|
||||||
{
|
{
|
||||||
|
|
||||||
$this->authorize('update', User::class);
|
$this->authorize('update', User::class);
|
||||||
$user = User::with('assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc')->withTrashed()->find($id);
|
$user = User::with(['assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc'])->withTrashed()->find($id);
|
||||||
|
|
||||||
if ($user) {
|
if ($user) {
|
||||||
|
|
||||||
|
@ -214,28 +214,24 @@ class UsersController extends Controller
|
||||||
* @return \Illuminate\Http\RedirectResponse
|
* @return \Illuminate\Http\RedirectResponse
|
||||||
* @throws \Illuminate\Auth\Access\AuthorizationException
|
* @throws \Illuminate\Auth\Access\AuthorizationException
|
||||||
*/
|
*/
|
||||||
public function update(SaveUserRequest $request, $id = null)
|
public function update(SaveUserRequest $request, User $user)
|
||||||
{
|
{
|
||||||
$this->authorize('update', User::class);
|
$this->authorize('update', User::class);
|
||||||
|
|
||||||
// This is a janky hack to prevent people from changing admin demo user data on the public demo.
|
// This is a janky hack to prevent people from changing admin demo user data on the public demo.
|
||||||
// The $ids 1 and 2 are special since they are seeded as superadmins in the demo seeder.
|
// The $ids 1 and 2 are special since they are seeded as superadmins in the demo seeder.
|
||||||
// Thanks, jerks. You are why we can't have nice things. - snipe
|
// Thanks, jerks. You are why we can't have nice things. - snipe
|
||||||
|
if ((($user->id == 1) || ($user->id == 2)) && (config('app.lock_passwords'))) {
|
||||||
if ((($id == 1) || ($id == 2)) && (config('app.lock_passwords'))) {
|
|
||||||
return redirect()->route('users.index')->with('error', trans('general.permission_denied_superuser_demo'));
|
return redirect()->route('users.index')->with('error', trans('general.permission_denied_superuser_demo'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// We need to reverse the UI specific logic for our
|
// We need to reverse the UI specific logic for our
|
||||||
// permissions here before we update the user.
|
// permissions here before we update the user.
|
||||||
$permissions = $request->input('permissions', []);
|
$permissions = $request->input('permissions', []);
|
||||||
app('request')->request->set('permissions', $permissions);
|
app('request')->request->set('permissions', $permissions);
|
||||||
|
|
||||||
$user = User::with('assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc')->withTrashed()->find($id);
|
$user->load(['assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc'])->withTrashed();
|
||||||
|
|
||||||
// User is valid - continue...
|
|
||||||
if ($user) {
|
|
||||||
$this->authorize('update', $user);
|
$this->authorize('update', $user);
|
||||||
|
|
||||||
// Figure out of this user was an admin before this edit
|
// Figure out of this user was an admin before this edit
|
||||||
|
@ -318,13 +314,7 @@ class UsersController extends Controller
|
||||||
return redirect()->to(Helper::getRedirectOption($request, $user->id, 'Users'))
|
return redirect()->to(Helper::getRedirectOption($request, $user->id, 'Users'))
|
||||||
->with('success', trans('admin/users/message.success.update'));
|
->with('success', trans('admin/users/message.success.update'));
|
||||||
}
|
}
|
||||||
|
|
||||||
return redirect()->back()->withInput()->withErrors($user->getErrors());
|
return redirect()->back()->withInput()->withErrors($user->getErrors());
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
return redirect()->route('users.index')->with('error', trans('admin/users/message.user_not_found', compact('id')));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -34,6 +34,14 @@ class SaveUserRequest extends FormRequest
|
||||||
$rules = [
|
$rules = [
|
||||||
'department_id' => 'nullable|exists:departments,id',
|
'department_id' => 'nullable|exists:departments,id',
|
||||||
'manager_id' => 'nullable|exists:users,id',
|
'manager_id' => 'nullable|exists:users,id',
|
||||||
|
'company_id' => [
|
||||||
|
// determines if the user is being moved between companies and checks to see if they have any items assigned
|
||||||
|
function ($attribute, $value, $fail) {
|
||||||
|
if (($this->has('company_id')) && ($this->user->allAssignedCount() > 0) && (Setting::getSettings()->full_multiple_companies_support)) {
|
||||||
|
$fail(trans('admin/users/message.error.multi_company_items_assigned'));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
];
|
];
|
||||||
|
|
||||||
switch ($this->method()) {
|
switch ($this->method()) {
|
||||||
|
|
|
@ -53,6 +53,7 @@ return array(
|
||||||
'ldap_could_not_search' => 'Could not search the LDAP server. Please check your LDAP server configuration in the LDAP config file. <br>Error from LDAP Server:',
|
'ldap_could_not_search' => 'Could not search the LDAP server. Please check your LDAP server configuration in the LDAP config file. <br>Error from LDAP Server:',
|
||||||
'ldap_could_not_get_entries' => 'Could not get entries from the LDAP server. Please check your LDAP server configuration in the LDAP config file. <br>Error from LDAP Server:',
|
'ldap_could_not_get_entries' => 'Could not get entries from the LDAP server. Please check your LDAP server configuration in the LDAP config file. <br>Error from LDAP Server:',
|
||||||
'password_ldap' => 'The password for this account is managed by LDAP/Active Directory. Please contact your IT department to change your password. ',
|
'password_ldap' => 'The password for this account is managed by LDAP/Active Directory. Please contact your IT department to change your password. ',
|
||||||
|
'multi_company_items_assigned' => 'This user has items assigned, please check them in before moving companies.'
|
||||||
),
|
),
|
||||||
|
|
||||||
'deletefile' => array(
|
'deletefile' => array(
|
||||||
|
|
|
@ -66,7 +66,9 @@
|
||||||
|
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="col-md-8 col-md-offset-2">
|
<div class="col-md-8 col-md-offset-2">
|
||||||
<form class="form-horizontal" method="post" autocomplete="off" action="{{ (isset($user->id)) ? route('users.update', ['user' => $user->id]) : route('users.store') }}" enctype="multipart/form-data" id="userForm">
|
<form class="form-horizontal" method="post" autocomplete="off"
|
||||||
|
action="{{ (isset($user->id)) ? route('users.update', ['user' => $user->id]) : route('users.store') }}"
|
||||||
|
enctype="multipart/form-data" id="userForm">
|
||||||
{{csrf_field()}}
|
{{csrf_field()}}
|
||||||
|
|
||||||
@if($user->id)
|
@if($user->id)
|
||||||
|
|
|
@ -1099,16 +1099,18 @@ Route::group(['prefix' => 'v1', 'middleware' => ['api', 'throttle:api']], functi
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
|
Route::match(['put', 'patch'], '{user}/update', [Api\UsersController::class, 'update'])
|
||||||
|
->name('api.users.update');
|
||||||
|
|
||||||
Route::resource('users',
|
Route::resource('users',
|
||||||
Api\UsersController::class,
|
Api\UsersController::class,
|
||||||
['names' => [
|
['names' => [
|
||||||
'index' => 'api.users.index',
|
'index' => 'api.users.index',
|
||||||
'show' => 'api.users.show',
|
'show' => 'api.users.show',
|
||||||
'update' => 'api.users.update',
|
|
||||||
'store' => 'api.users.store',
|
'store' => 'api.users.store',
|
||||||
'destroy' => 'api.users.destroy',
|
'destroy' => 'api.users.destroy',
|
||||||
],
|
],
|
||||||
'except' => ['create', 'edit'],
|
'except' => ['create', 'edit', 'update'],
|
||||||
'parameters' => ['user' => 'user_id'],
|
'parameters' => ['user' => 'user_id'],
|
||||||
]
|
]
|
||||||
); // end users API routes
|
); // end users API routes
|
||||||
|
|
|
@ -145,10 +145,12 @@ Route::group(['prefix' => 'users', 'middleware' => ['auth']], function () {
|
||||||
]
|
]
|
||||||
)->name('users/bulkeditsave');
|
)->name('users/bulkeditsave');
|
||||||
|
|
||||||
|
// pulling this out of the resource because I need route model binding in the request
|
||||||
|
Route::match(['put', 'patch'], '/{user}', [Users\UsersController::class, 'update'])->name('users.update');
|
||||||
});
|
});
|
||||||
|
|
||||||
Route::resource('users', Users\UsersController::class, [
|
Route::resource('users', Users\UsersController::class, [
|
||||||
'middleware' => ['auth'],
|
'middleware' => ['auth'],
|
||||||
'parameters' => ['user' => 'user_id'],
|
'parameters' => ['user' => 'user_id'],
|
||||||
|
'except' => ['update']
|
||||||
]);
|
]);
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
namespace Tests\Feature\Users\Api;
|
namespace Tests\Feature\Users\Api;
|
||||||
|
|
||||||
|
use App\Models\Asset;
|
||||||
use App\Models\Company;
|
use App\Models\Company;
|
||||||
use App\Models\Department;
|
use App\Models\Department;
|
||||||
use App\Models\Group;
|
use App\Models\Group;
|
||||||
|
@ -344,4 +345,47 @@ class UpdateUserTest extends TestCase
|
||||||
$this->assertTrue($user->refresh()->groups->contains($groupB));
|
$this->assertTrue($user->refresh()->groups->contains($groupB));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testMultiCompanyUserCannotBeMovedIfHasAsset()
|
||||||
|
{
|
||||||
|
$this->settings->enableMultipleFullCompanySupport();
|
||||||
|
|
||||||
|
$companyA = Company::factory()->create();
|
||||||
|
$companyB = Company::factory()->create();
|
||||||
|
|
||||||
|
$user = User::factory()->create([
|
||||||
|
'company_id' => $companyA->id,
|
||||||
|
]);
|
||||||
|
$superUser = User::factory()->superuser()->create();
|
||||||
|
|
||||||
|
$asset = Asset::factory()->create();
|
||||||
|
|
||||||
|
// no assets assigned, therefore success
|
||||||
|
$this->actingAsForApi($superUser)->patchJson(route('api.users.update', $user), [
|
||||||
|
'username' => 'test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
])->assertStatusMessageIs('success');
|
||||||
|
|
||||||
|
// same test but PUT
|
||||||
|
$this->actingAsForApi($superUser)->putJson(route('api.users.update', $user), [
|
||||||
|
'username' => 'test',
|
||||||
|
'first_name' => 'Test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
])->assertStatusMessageIs('success');
|
||||||
|
|
||||||
|
$asset->checkOut($user, $superUser);
|
||||||
|
|
||||||
|
// asset assigned, therefore error
|
||||||
|
$this->actingAsForApi($superUser)->patchJson(route('api.users.update', $user), [
|
||||||
|
'username' => 'test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
])->assertStatusMessageIs('error');
|
||||||
|
|
||||||
|
// same test but PUT
|
||||||
|
$this->actingAsForApi($superUser)->putJson(route('api.users.update', $user), [
|
||||||
|
'username' => 'test',
|
||||||
|
'first_name' => 'Test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
])->assertStatusMessageIs('error');
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
namespace Tests\Feature\Users\Ui;
|
namespace Tests\Feature\Users\Ui;
|
||||||
|
|
||||||
|
use App\Models\Asset;
|
||||||
|
use App\Models\Company;
|
||||||
use App\Models\User;
|
use App\Models\User;
|
||||||
use Tests\TestCase;
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
@ -79,4 +81,39 @@ class UpdateUserTest extends TestCase
|
||||||
|
|
||||||
$this->assertEquals(1, $admin->refresh()->activated);
|
$this->assertEquals(1, $admin->refresh()->activated);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testMultiCompanyUserCannotBeMovedIfHasAsset()
|
||||||
|
{
|
||||||
|
$this->settings->enableMultipleFullCompanySupport();
|
||||||
|
|
||||||
|
$companyA = Company::factory()->create();
|
||||||
|
$companyB = Company::factory()->create();
|
||||||
|
|
||||||
|
$user = User::factory()->create([
|
||||||
|
'company_id' => $companyA->id,
|
||||||
|
]);
|
||||||
|
$superUser = User::factory()->superuser()->create();
|
||||||
|
|
||||||
|
$asset = Asset::factory()->create();
|
||||||
|
|
||||||
|
// no assets assigned, therefore success
|
||||||
|
$this->actingAs($superUser)->put(route('users.update', $user), [
|
||||||
|
'first_name' => 'test',
|
||||||
|
'username' => 'test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
'redirect_option' => 'index'
|
||||||
|
])->assertRedirect(route('users.index'));
|
||||||
|
|
||||||
|
$asset->checkOut($user, $superUser);
|
||||||
|
|
||||||
|
// asset assigned, therefore error
|
||||||
|
$response = $this->actingAs($superUser)->patchJson(route('users.update', $user), [
|
||||||
|
'first_name' => 'test',
|
||||||
|
'username' => 'test',
|
||||||
|
'company_id' => $companyB->id,
|
||||||
|
'redirect_option' => 'index'
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->followRedirects($response)->assertSee('error');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue