Merge pull request #12910 from snipe/fixes/finer_permissions_for_bulk_assets

Added more granular permissions on bulk actions for assets
This commit is contained in:
snipe 2023-04-25 08:09:30 -07:00 committed by GitHub
commit efc0929bbc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -29,7 +29,7 @@ class BulkAssetsController extends Controller
*/ */
public function edit(Request $request) public function edit(Request $request)
{ {
$this->authorize('update', Asset::class); $this->authorize('view', Asset::class);
if (! $request->filled('ids')) { if (! $request->filled('ids')) {
return redirect()->back()->with('error', trans('admin/hardware/message.update.no_assets_selected')); return redirect()->back()->with('error', trans('admin/hardware/message.update.no_assets_selected'));
@ -44,6 +44,7 @@ class BulkAssetsController extends Controller
if ($request->filled('bulk_actions')) { if ($request->filled('bulk_actions')) {
switch ($request->input('bulk_actions')) { switch ($request->input('bulk_actions')) {
case 'labels': case 'labels':
$this->authorize('view', Asset::class);
return view('hardware/labels') return view('hardware/labels')
->with('assets', Asset::find($asset_ids)) ->with('assets', Asset::find($asset_ids))
->with('settings', Setting::getSettings()) ->with('settings', Setting::getSettings())
@ -51,6 +52,7 @@ class BulkAssetsController extends Controller
->with('count', 0); ->with('count', 0);
case 'delete': case 'delete':
$this->authorize('delete', Asset::class);
$assets = Asset::with('assignedTo', 'location')->find($asset_ids); $assets = Asset::with('assignedTo', 'location')->find($asset_ids);
$assets->each(function ($asset) { $assets->each(function ($asset) {
$this->authorize('delete', $asset); $this->authorize('delete', $asset);
@ -59,6 +61,7 @@ class BulkAssetsController extends Controller
return view('hardware/bulk-delete')->with('assets', $assets); return view('hardware/bulk-delete')->with('assets', $assets);
case 'restore': case 'restore':
$this->authorize('update', Asset::class);
$assets = Asset::withTrashed()->find($asset_ids); $assets = Asset::withTrashed()->find($asset_ids);
$assets->each(function ($asset) { $assets->each(function ($asset) {
$this->authorize('delete', $asset); $this->authorize('delete', $asset);
@ -67,6 +70,7 @@ class BulkAssetsController extends Controller
return view('hardware/bulk-restore')->with('assets', $assets); return view('hardware/bulk-restore')->with('assets', $assets);
case 'edit': case 'edit':
$this->authorize('update', Asset::class);
return view('hardware/bulk') return view('hardware/bulk')
->with('assets', $asset_ids) ->with('assets', $asset_ids)
->with('statuslabel_list', Helper::statusLabelList()); ->with('statuslabel_list', Helper::statusLabelList());
@ -333,6 +337,7 @@ class BulkAssetsController extends Controller
} }
public function restore(Request $request) { public function restore(Request $request) {
$this->authorize('update', Asset::class);
$assetIds = $request->get('ids'); $assetIds = $request->get('ids');
if (empty($assetIds)) { if (empty($assetIds)) {
return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.restore.nothing_updated')); return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.restore.nothing_updated'));