Commit graph

51 commits

Author SHA1 Message Date
snipe e71e57f16a
Fixed XSS vulnerability in SVG image uploads [ch10476] (#7639)
* Added enshrined/svg-sanitize

* Added modular image resizing/SVG cleaning method

(This already exists in v5, so I mostly ported it forward and added the SVG sanitizer.)

* Use improved handleImages method to upload/resize/clean images

* Removed $old_image

This is handled in the ImageUpload request now
2019-12-05 22:23:05 -08:00
snipe 2dd31544fe Increased image size to 800px, added lightboxes 2019-05-24 19:11:08 -07:00
snipe 46f5f21368
Notification improvements (#5254)
* Added “show fields in email” to custom fields

* Added “show images in email” to settings

* Added nicer HTML emails

* Break notifications out into their own, instead of trying to mash them all together

* Remove old notification for accessory checkout

* Janky fix for #5076 - “The asset you have attempted to accept was not checked out to you”

* Add method for image url for accessories

* Added accessory checkout email blade

* Make accessory email notification on checkout screen consistent with assets

* Added native consumables notifications

* Fixes for asset notification

* Updated notification blades with correct-er fields

* Updated notifications

* License checkin notification - does not work yet

Need to figure out whether the license seat is assigned to a person or an asset before we can pass the target

* Added alternate “cc” email for admins

* Only try to trigger notifications if the target is a user

* Fix tests

* Fixed consumable URL

* Removed unused notification

* Pass target type in params

* Show slack status

* Pass additional parameters

There is a logic bug in this :( Will send to slack twice, since the admin CC and the user are both using the same notification. Fuckity fuck fuck fuck.

* Pass a variable to the notification to supress the duplicate slack message

* Slack is broken :( Trying to fix

Will try a git bisect

* Put preview back into checkout

* Pulled old archaic mail

* Removed debugging

* Fixed wrong email title

* Fixed slack endpoint not firing

* Poobot, we hardly knew ye.

* Removed old, manual mail from API

* Typo :-/

* Code cleanup

* Use defined formatted date in JSON

* Use static properties for checkin/checkout notifiers for cleaner code

* Removed debugging

* Use date formatter

* Fixed target_type

* Fixed language in consumable email
2018-03-25 13:46:57 -07:00
snipe 39c68214e9 More ajax menu fixes 2017-10-28 11:17:52 -07:00
snipe 6a3716a06d Added new ajax dropdown menus for components, consumables, etc editing/creating 2017-10-28 09:21:39 -07:00
snipe ea07517ad5 Added more ajax select2 boxes to checkouts, remove helper ->with() methods 2017-10-26 03:43:28 -07:00
snipe 75b527ab59 Features/image uploads (#4320)
* Locations API support for image

* Added manufacturers API support for image

* Added manufacturers API support for image

* Added image support for locations add/update

* Added manufacturer image upload support to controller

* General image string

* Added blade support for image uploads/delete image

* Added $request support (from Input::)

* Added image support in API transformers

* Added image to Manufacturers presenter for data table

* Migration to create image fields

* Ignore the contents of the new image directories

* Create new image upload directories

* Created components/consumables uploads directory

* Fixed missing textSearch scope from companies

* Added ignore for companies uploads directory

* Added blade support for image upload

* Fixed path to upload directory on edit

* Added company image upport to transformers, controllers

* Added image support for categories

* Added support for images in Departments

* Added support for image in Consumables

* Added image support for components
2017-10-25 22:35:58 -07:00
snipe ae567c08db Fixes incorrect language reference for consumables on checkout if consumable doesn’t exist 2017-10-19 03:44:01 -07:00
snipe 4d3d19ca2b Fixes older route reference in consumables 2017-10-19 02:07:31 -07:00
Daniel Meltzer 987536930c Assorted fixes (#3923)
* Fix some n+1 problems

* Use route in notification dropdown to make sure we link to correct page

* Work on better UI support for checkout to non-user.  Fix links on index bootstrap table, work towards eliminating assignedUser

* Remove Asset::assigneduser() relationship.  Instead add a checkedOutToUser() method and/or port to using assignedTo()

* Adjust string to fit new reality

* Fix #3780.  Move the consumables getDataView method to the ApiController.  Not entirely RESTful, but it's a weird method that probably doesn't need its own controller and the functionality would be strange to stack on the userscontroller...

* Fix file uploads to assets and restore the delete route.

* Add asset maintence edit action to index.

* Suppliers asset list should link to the related asset, not to the supplier with same ID.

* Asset models page should use polymorphic formatter on assigned to to better handle assorted item types.

* Comment out more assigneduser fallacy until we figure out the query builder approach to searching for location text.
2017-09-05 17:54:58 -07:00
Daniel Meltzer bb874012d9 Progress towards better email notifications (#3911)
Working mail from notification.  Still requires testing/cleaning

Add tests around checkout notification.

This also removes the ability to check out an asset to a location|asset
that requires acceptance/a Eula.  For 4.1 we may think about how to
support such a thing, but at present it seems to make sense to only alow
such assets to be checked out to users, who can be responsible for the
items.
2017-08-31 11:14:21 -07:00
snipe 770092f23f Added save/update/delete observers
This should make it easier to handle action logging between the GUI and the API
2017-06-15 20:54:14 -07:00
snipe 14f3868b46 Update all controllers to use laravel 5 return view method 2017-06-09 16:44:03 -07:00
snipe 5e9e6da577 Basic consumables API 2017-01-26 18:46:18 -08:00
Daniel Meltzer cafafe851c Notification rework (#3103)
* Move slack integration to laravel5.3 style notifications, part 1.

* Fix consumable tab when active.

* Move the slack notifiable to the settings model.  Move all slack notifications into logCheckout/logCheckin.  Should think about refactoring this as an event at some point still.  Move Asset checkin/checkout to use the general loggable trait rather than it's own solution.

* Fix a logic error where assets with a non deployable status would show checkin instead of no button at all.

* Fix an html formatting error that resulted in us not closing a form.  This would cause the checkin page to try to submit a delete request (related to the modal form) rather than the desired checkin request.  Also fix formatting in this file.
2016-12-26 15:19:04 -08:00
Daniel Meltzer 06af9311fc Move sanitization of input to the model attribute setters. This cleans up a lot of checks in the various controller methods and ensures data will be set in the model accurately regardless of where it's set. Add unit tests for these methods (#3102) 2016-12-26 15:17:46 -08:00
Daniel Meltzer 61543f3a04 Add presenters for models. (#3098)
* Add presenters for models.  Move bootstrap table JSON generation to these presenters, which cleans up controllers a lot.  Move view specific modifications from the models to the presenters as well.

* Fix some issues found by travis and codacy

* Fix a few more issues found while testing.

* Attempt another acceptance test fix

* Try something else

* Maybe..
2016-12-23 17:52:00 -08:00
Daniel Meltzer 323c3807fa Cleanup controller escaping (#3084)
* Make delete routes work.  We put a little form in the modal that spoofs the delete field.

* Fix route on creating a user.

* Fix redundant id parameter.

* Port acceptance tests to new urls.

* Initial work on migrating to model based policies instead of global gates.  Will allow for much more detailed permissions bits in the future.

* This needs to stay for the dashboard checks.

* Add user states for permissions to build tests.

* Build up unit tests for gates/permissions.  Move accessories/consumables/assets to policies instead of in authserviceprovider

* Migrate various locations to new syntax.  Update test to be more specific

* Fix functional tests.

Add an artisan command for installing a settings setup on travis-ci

* Try a different id... Need to come up with a better way of passing the id for tests that need an existing one.

* Try to fix travis

* Update urls to use routes and not hardcode old paths.  Also fix some migration errors found along the way.:

* Add a environment for travis functional tests.

* Adjust config file to make travis use it.

* Use redirect()->route instead of redirect()-to

* Dump all failures in the output directory if travis fails.

* Cleanups and minor fixes.

* Adjust the supplier modelfactory to comply with new validation restrictions.

* Some test fixes.

* Locales can be longer than 5 characters according to faker... fex gez_ET.  Increase lenght in mysql and add a validation

* Update test database dump to latest migrations.

* Extend Supplier phone/fax length.

This catches issues found in testing with a phone number with a five digit extension.  fex (356) 654-3024 x36632

Also move away from escaping all values put into eloquent.  Eloquent
already uses PDO parameter binding, and this was leading to names like
Mr Ryan O'Malley turning into an html escaped version of that name when
stored.  All values should be escaped when using {{}}, we'll just have
to be more cautious when we use {!!, but I think we already are?

* Remove additional escaping here, like we did in suppliers controller.

* No need to eager load all of these relationships when we can call the count on the querybuilder directly

* Work on controller cleanup

* Always start from scrach, catches more issues this way.

* Update sql dump.  Remove old code from permissions test.

* Generate a deletable item on demand in the test, rather than relying on one existing.  I think we should probably move to mock all the database stuff at some point..

* More travis related fixes

* Break script into multiple functional lines

* Update all controllers to use the new helper, also cleanup syntax and docblocks along the way.
2016-12-19 22:00:50 -08:00
Daniel Meltzer cd8c585377 Discussion: Moving to policies for controller based authorization (#3080)
* Make delete routes work.  We put a little form in the modal that spoofs the delete field.

* Fix route on creating a user.

* Fix redundant id parameter.

* Port acceptance tests to new urls.

* Initial work on migrating to model based policies instead of global gates.  Will allow for much more detailed permissions bits in the future.

* This needs to stay for the dashboard checks.

* Add user states for permissions to build tests.

* Build up unit tests for gates/permissions.  Move accessories/consumables/assets to policies instead of in authserviceprovider

* Migrate various locations to new syntax.  Update test to be more specific

* Fix functional tests.

Add an artisan command for installing a settings setup on travis-ci

* Try a different id... Need to come up with a better way of passing the id for tests that need an existing one.

* Try to fix travis

* Update urls to use routes and not hardcode old paths.  Also fix some migration errors found along the way.:

* Add a environment for travis functional tests.

* Adjust config file to make travis use it.

* Use redirect()->route instead of redirect()-to

* Dump all failures in the output directory if travis fails.

* Cleanups and minor fixes.

* Adjust the supplier modelfactory to comply with new validation restrictions.

* Some test fixes.

* Locales can be longer than 5 characters according to faker... fex gez_ET.  Increase lenght in mysql and add a validation

* Update test database dump to latest migrations.
2016-12-19 11:04:28 -08:00
snipe 4751bcd002 Use redirect()->route instead of ->to 2016-12-15 20:02:47 -08:00
snipe aab0933856 Use url() helper over URL::to 2016-12-15 16:41:36 -08:00
snipe cf2b57cb15 More for #3057 2016-12-15 15:15:11 -08:00
snipe e67b3e474f Use more RESTy method names, uses route names where possible (#3059, #3060) 2016-12-15 04:09:40 -08:00
snipe 863e200430 Hopefully fixes tons of PEBKAC where users have the wrong app.url 2016-12-14 08:20:05 -08:00
Daniel Meltzer d722ed3823 Partialize forms (#2884)
* Consolidate edit form elements into reusable partials.

This is a large code change that doesn't do much immediately.  It
refactors all of the various edit.blade.php files to reference
standardized partials, so that they all reference the same base html
layout. This has the side effect of moving everything to the new fancy
"required" indicators, and making things look consistent.

In addition, I've gone ahead and renamed a few database fields.  We had
Assetmodel::modelno and Consumable::model_no, I've renamed both to
model_number.  We had items using ::note and ::notes, I've standardized
on ::notes.  Component used total_qty where consumables and accessories
used qty, so I've moved everything to qty (And fixed a few bugs in the
helper file in the process.

TODO includes looking at how/where to place the modal javascripts to
allow for on the fly creation from all places, rather than just the
asset page.

Rename assetmodel::modelno to model_number for clarity and consistency

Rename consumable::model_no to model_number for clarity and consistency

Rename assetmodel::note to notes for clarity and consistency

Port asset and assetmodel to new partials layout.  Adapt all code to the renamed model_number and notes database changes.  Fix some stying.

* Share a settings variable with all views.

* Allow editing the per_page setting.  We showed the value, but we never showed it on the edit page..

* use snipeSettings in all views instead of the long ugly path.

* War on partials. Centralize all bootstrap table javascript

* Use model_number instead of modelno in importer

* Codacy fix.

* More unification/deduplication.  Create an edit form template layout that we use as the base for all edit forms.  This gives the same interface for editing everything and makes the edit.blade.* files much easier to read.

* Use a ViewComposer instead of sharing the variable directly.  Fixes artisan optimize trying to hit the db--which ruins new installs

* Fix DB seeder.

* Base sql dump and csv's to import data from for tests.

* Start some functional tests for creating items.

* Add functional tests for all create methods.  Still need to do tests for edits, deletes, and lots of other things

* Improvements to functional tests.

Use the built in DB seeding mechanism instead of doing it ourselves.
Break the tests into multiple units, rather than testing everything in
each function.

* Some improvements to acceptance tests.

Make sure we're only looking at the "trs" within the bootstrap table.
Creation of assets is now tested at the functional level (and is faster)
so ignore it here.

I'm testing acceptance tests with the
IMPORT_{ASSETS,ACCESSORIES,CONSUMABLES}.csv in the tests/_data folder
imported.

* A few things to make acceptance tests work.  Add a name to the companies table, and make the locations table have the correct name

* Use a .env.tests file for testing functional and unit to allow a separate database.

* Add functional tests for compoents, groups, and licenses.

* Now that the config is in the functional.yml, this just confuses things.

* Start some functional tests for creating items.

* Add functional tests for all create methods.  Still need to do tests for edits, deletes, and lots of other things

* Improvements to functional tests.

Use the built in DB seeding mechanism instead of doing it ourselves.
Break the tests into multiple units, rather than testing everything in
each function.

* Some improvements to acceptance tests.

Make sure we're only looking at the "trs" within the bootstrap table.
Creation of assets is now tested at the functional level (and is faster)
so ignore it here.

I'm testing acceptance tests with the
IMPORT_{ASSETS,ACCESSORIES,CONSUMABLES}.csv in the tests/_data folder
imported.

* update db dump

* Update tests to new reality

* env for the test setup

* only load the database at beginning of tests, not between each Functional test.

* Fix a miss from renaming note to notes.

* Set Termination date when creating an asset.  It was only set on edit.

* Rename serial_number to serial in components for consistency.

* Update validation rules to match limits in database.  Currently we just accepted the values and they were truncated when adding to DB.

* Much more detailed functional testing of creating items.  This checks to make sure all values on form have been successfully persisted to database.
2016-11-16 16:56:57 -08:00
Daniel Meltzer 3a8edfdf58 Eager load many more things. Fixes a lot of n+1 queries in ajax/bootstrap tables requests (#2832) 2016-10-28 14:15:13 -07:00
Daniel Meltzer e85241af6a Log checkouts (#2772)
* Ensure the log has a target before trying to fetch the associated company

* Log creation of items, both in importer and manually
2016-10-12 18:45:32 -07:00
snipe 9091385182 Merge branch 'hotfixes/purchase_cost' into develop
# Conflicts:
#	app/Http/Controllers/ReportsController.php
#	config/version.php
2016-09-27 19:13:21 -07:00
snipe ee2522571c Fixes #2673 2016-09-27 19:07:30 -07:00
Andrés Núñez 40f00665b3 Translate emails (#2652)
* commit temporal

* final translation commit -- added email translations

* final translation commit -- removed file for spanish translations

* final translation commit -- removed file for spanish translations

* added missing translations

* method overrided and config files back to default

* config files back to default

* config files back to default
2016-09-26 14:13:07 -07:00
snipe bd5e6d8551 Add reply-to config setting 2016-09-20 07:20:10 -07:00
Daniel Meltzer 2d8269ddcd Checkout Improvements, and initial support for requesting an asset model (#2573)
* Create a new action_log table to replace asset_log.  Use Polymorphism to generalize class and targets.  Port everything I can find to use it.  Add a migration to port the asset_logs table to action_logs.

* Initial work on requestable asset models

* Backend work for polymorphic requests table to store checkout requests.

* Add missing files

* Add a record to the db when requesting items.  Build up a testing route for interfacing with this.

* Users can now toggle requests of items on the request page.  Reformat page to use the same tab layout we use elsewhere

* Polymorphic request function.  Implement requesting of asset models.  Need to port mail/slack to notifications still.

* Implement requesting of asset models.  Build up emails and notifications to support it.  Allow specifying a quantity of model to request.

* Add view to show currently requested assets.  Needs some work and cleanup, but it isn't accessible from anywhere yet.
2016-09-15 19:58:27 -07:00
Daniel Meltzer e86adccf19 Actionlog Class: Improvements and polymorphism (#2561)
* Save progress

* Create a new action_log table to replace asset_log.  Use Polymorphism to generalize class and targets.  Port everything I can find to use it.  Add a migration to port the asset_logs table to action_logs.

* Allow accepted_id to be nullable.

* Comment out the thread_id migration, because it b0rks on a new database with the move.  I'm unsure if the thread_id does anything...It doesn't seem to be used

* Clean up all old methods from Actionlog model.  Port everything to use new cleaner interface.

* Port the actionlog factory to fix travis.

* Adjust code to work on php5.  Also fix lurking adminlog call.

* Remove weird code

* Port the pave command.  Also fix dangling adminlog
2016-09-06 19:39:42 -07:00
snipe 4419dc7434 Merge branch 'fix-double-format' of https://github.com/dmeltzer/snipe-it into dmeltzer-fix-double-format
# Conflicts:
#	app/Http/Controllers/ConsumablesController.php
#	app/Http/Controllers/LicensesController.php
#	resources/views/hardware/view.blade.php
2016-08-16 18:53:45 -07:00
Daniel Meltzer ac63642224 Add manufacturer to licenses (#2436)
* Add manufacturer to licenses.  Shows in table and edit.  Need to improve manufacturer view to show lists beyond assets still.

* Remove extra closing tags, formatting

* Work on making the manufacturer view show more options. Need to figure out how to change the table dynamically.

* Cleanup formatting and fix a few weirdities in hardware/view.blade.php

* Standardize on two-space tabs in this file, as it seems the most
* common.

* Fix a few places where we call number_format without guaranteeing the
* item is a number and not a string.

* Show a "No Results" message on components page if there are no
* components.

* Show table of licenses on manufacturer view page.

This reworks the ManufacturersController::getDataView method to delegate
the view to a sub method (currently assets or licenses, but plan to
extend to consumables/accessories/components as well).  We then put tabs
at the top of the view to show multiple tables.  This just duplicates
the table layout from licenses/index.blade, but I wonder if theres a way
to centralize that code, maybe through partials, over time..

The only known missing part of manufacturers for licenses would be adding it
to the importer, but the license importer should probably migrate to
object importer before doing too much more...

* Add manufacturer to accessory.

* Add consumables to the manufacturer view page.
2016-08-16 18:49:54 -07:00
Daniel Meltzer 5959f83de3 Rename parseCurrencyString to formatCurrencyOutput to clarify what it does better. 2016-08-16 20:47:53 -05:00
Daniel Meltzer 0c912bcf49 Fix more number_format madness.
This does two main things:
1) The importer now imports as numbers, not parsed strings.  This allows
is to format values on output instead of input, which is what was
happening in most places.

2) Add a Helper::parseCurrencyString method and port everything to use
this.  This checks to see if the value is numeric or empty, and returns
the appropriate value in all cases.  Should fix all known occurances of
number_format expections.
2016-08-16 20:41:28 -05:00
snipe 8246a319a2 Fixes #2363 and #1097 2016-08-02 00:54:38 -07:00
Daniel Meltzer e0938cf82d Scope to company when viewing assets (#2315)
* If a user doesn't belong to a company, when scoping to a company we should only show items that don't belong to a company.

* Scope tables/items to the company they belong to when fetching items for the index.

* Fix asset count to also scope to company.  This fixes dashboard view

* Exempt super users from the child company check to be consistent.  Fixes license count on dashboard now that we scope everything
2016-07-25 19:46:29 -07:00
Daniel Meltzer bf88cd8233 Check for variables to exist and not null rather than assuming it does. Fixes #2247. (#2248) 2016-07-12 21:03:23 -07:00
Daniel Meltzer cd9cca9c6b Modify Helper::categoryList() to take a category type parameter.
This allows for centralizing the category fetching code more and fixes
an error in asset model viewing (#2118).  Also add a few translated
strings and standardize on a base of 'Select a *' for the default value
in our lists.
2016-06-05 09:47:44 -05:00
Daniel Meltzer 4af5cdd64f asset_id is not allowed to be null in asset_log according to db schema. 0 it out here to make sqlite happy. 2016-05-31 19:41:14 -05:00
snipe e552c36a0a Add model_no, item_no, and manufacturer to consumables 2016-05-16 17:11:31 -07:00
snipe ba01b20ad4 Use updated redirect() reference 2016-04-28 21:06:41 -07:00
snipe bf728da39d Updated to use 5.2 trans() instead of Lang::get for localization 2016-04-07 13:39:35 -07:00
snipe a62859dc6d Updated docblocks 2016-04-07 13:21:09 -07:00
snipe 4a7b0c0d0f Updated docblocks 2016-03-28 22:51:49 -07:00
snipe a10da2e148 Fixes error loading consumables 2016-03-25 18:29:45 -07:00
snipe bddb7fca23 Additional doc blocks, added private_uploads path 2016-03-25 15:50:08 -07:00
snipe 27543d16f6 Additional escaping 2016-03-25 15:24:12 -07:00