Commit graph

48 commits

Author SHA1 Message Date
snipe dcab1381e7 Check for licenses.files permissions
Signed-off-by: snipe <snipe@snipe.net>
2022-09-16 14:00:27 -07:00
snipe b876d0abb0 Merge remote-tracking branch 'origin/master' into develop
Signed-off-by: snipe <snipe@snipe.net>

# Conflicts:
#	.env.example
#	app/Http/Controllers/Auth/LoginController.php
#	app/Http/Kernel.php
#	app/Http/Transformers/ActionlogsTransformer.php
#	app/Importer/AssetImporter.php
#	app/Models/Accessory.php
#	app/Models/Consumable.php
#	app/Presenters/AccessoryPresenter.php
#	app/Presenters/ComponentPresenter.php
#	app/Presenters/ConsumablePresenter.php
#	app/Providers/AuthServiceProvider.php
#	composer.json
#	composer.lock
#	config/app.php
#	config/cors.php
#	config/version.php
#	package-lock.json
#	public/js/build/app.js
#	public/js/build/app.js.LICENSE.txt
#	public/js/dist/all.js
#	public/mix-manifest.json
#	resources/views/accessories/view.blade.php
#	resources/views/consumables/view.blade.php
#	resources/views/settings/saml.blade.php
#	routes/api.php
2022-03-03 21:59:38 -08:00
snipe 2eef43e8bf
Applies develop fix to master for location drop downs 2022-03-01 12:43:35 -08:00
Andrew Roth 2e60420aeb Fix for location and model drop down with granular permissions. 2022-02-28 17:38:38 -05:00
snipe dd5f812d88 Merge remote-tracking branch 'origin/master' into develop
Signed-off-by: snipe <snipe@snipe.net>

# Conflicts:
#	.all-contributorsrc
#	README.md
#	app/Console/Commands/FixDoubleEscape.php
#	app/Console/Commands/LdapSync.php
#	app/Exceptions/Handler.php
#	app/Http/Controllers/Api/AssetMaintenancesController.php
#	app/Http/Controllers/Api/AssetModelsController.php
#	app/Http/Controllers/Api/AssetsController.php
#	app/Http/Controllers/Api/CategoriesController.php
#	app/Http/Controllers/Api/CompaniesController.php
#	app/Http/Controllers/Api/DepartmentsController.php
#	app/Http/Controllers/Api/LicensesController.php
#	app/Http/Controllers/Api/LocationsController.php
#	app/Http/Controllers/Api/ManufacturersController.php
#	app/Http/Controllers/Api/SettingsController.php
#	app/Http/Controllers/Api/SuppliersController.php
#	app/Http/Controllers/AssetModelsController.php
#	app/Http/Controllers/Auth/LoginController.php
#	app/Http/Controllers/CustomFieldsController.php
#	app/Http/Controllers/SettingsController.php
#	app/Models/Loggable.php
#	app/Providers/AuthServiceProvider.php
#	config/version.php
#	database/migrations/2014_11_04_231416_update_group_field_for_reporting.php
#	database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php
#	package-lock.json
#	package.json
#	public/js/build/app.js
#	public/js/dist/all.js
#	public/mix-manifest.json
#	resources/assets/js/components/forms/asset-models/fieldset-default-values.vue
#	resources/views/hardware/view.blade.php
2022-02-20 13:29:12 -08:00
snipe d6b8222371 Refactor to combine permissions
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 12:48:30 -08:00
snipe 2c5abaaea4 Fixed copypasta
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 12:32:09 -08:00
snipe c1a0653847 Restrict to update or create gate methods for select lists
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 12:31:11 -08:00
snipe 9226c8292d Fixed typos in comments
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 12:02:14 -08:00
snipe 5fafa81dc1 Forgot components
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 11:57:29 -08:00
snipe b30d1dce89 Removed selectlist
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 11:55:24 -08:00
snipe 2dad27eed6 Added additional gate for selectlists
Signed-off-by: snipe <snipe@snipe.net>
2022-02-11 11:46:14 -08:00
Laravel Shift 934afa036f Adopt Laravel coding style
Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions.

You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started.

[1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer
[2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200
2021-06-10 20:15:52 +00:00
snipe a48d09f37e
Fixed non-superadmin gate permissions for kits (#9029) 2021-01-26 11:56:42 -08:00
snipe 5abfbdd1d2 Allow API token expiration in years to be configured via env 2020-11-09 22:52:55 -08:00
snipe 460485d843 Make API tokens expire in 20 years
TODO: Make this configurable and report the expiration in the UI
2020-11-09 22:33:43 -08:00
snipe 296de34e8a
WIP: Upgrade develop to Laravel 6.6.1 (#7637)
I'm going ahead and merging this, since the upgrade doesn't break Flysystem any worse than the current develop is broken, so far as I can tell. 


* Upgraded framework to Laravel 6

### TO DO:

- Fix password restriction rules- the old library isn’t compatible with Laravel 6 :(
- Figure out why in-app API calls are returning “Unauthorized”

* More updates from Input:: to Request:: helper

* Switch to Request:: from Input

* Added passport config

* Fixed goofy password minimum in seeder

* Added laravel/helpers

* Changed ($item)  to ($item->id) in forms

I have no idea why this is necessary

* Changed ($item) to ($item->id) in forms

* Updated API middleware to auth:api

* Updated with added laravel auth.php values

* FIxed *&!^$%^&$^%!!!! ajax issue

* Switch to Request::get from Input::get

* Switched to Request facade

* Added password security minimums back in

The package we were using has not been updated to Laravel v6, so I created custom validators instead

* Added language strings for error messages for password rules

* Fixed `($item)` issue in formActions for partials
2019-12-10 19:32:50 -08:00
snipe bca82684a1 Merge branch 'hotfixes/2fa_qr' into develop
# Conflicts:
#	.all-contributorsrc
#	Dockerfile
#	README.md
#	app/Console/Commands/LdapSync.php
#	app/Http/Controllers/Api/ImportController.php
#	app/Http/Controllers/AssetModelsController.php
#	app/Http/Controllers/Assets/AssetsController.php
#	app/Http/Controllers/Auth/LoginController.php
#	app/Http/Controllers/CategoriesController.php
#	app/Http/Controllers/CompaniesController.php
#	app/Http/Controllers/DepartmentsController.php
#	app/Http/Controllers/ImportsController.php
#	app/Http/Controllers/LocationsController.php
#	app/Http/Controllers/ManufacturersController.php
#	app/Http/Controllers/SuppliersController.php
#	app/Http/Requests/ItemImportRequest.php
#	app/Http/Transformers/ActionlogsTransformer.php
#	composer.json
#	composer.lock
#	config/app.php
#	config/version.php
#	docker/startup.sh
#	public/css/build/all.css
#	public/css/dist/all.css
#	public/js/build/all.js
#	public/js/build/vue.js
#	public/js/build/vue.js.map
#	public/js/dist/all.js
#	public/mix-manifest.json
2019-03-20 02:17:02 -07:00
snipe 7b33f95e83
Fixes/import permissions mask (#6826)
* Check for empty headers in import

* Added import permission

* Fixed model path in docblock

* Added import gate to default blade

* Check if the user is an admin OR idf they have import permissions

* Walked back that admin permission

Since admins are bound by full company support, it makes less sense to let admins have this permission by default, versus having them specifically designated to the import permission
2019-03-18 11:58:08 -07:00
Martin Meredith e3e0d57f56 Minor code cleanup bits and bobs (#6805)
* Add IDE Helper files

* Cleanup imports

- Alphabetises imports
- Removes unused imports

* Add Platform requirements

* Move filling asset into block where asset exists

* Remove duplicate array keys
2019-03-13 20:12:03 -07:00
snipe e4f6aefdad Added self-checkout permission option 2018-08-21 23:26:12 -07:00
snipe 376eb52f00 Fixed #5938 - added “self location edit” as permission 2018-07-24 12:42:16 -07:00
Till Deeke 27699aa99c Adds permission checks for custom fields and custom fieldsets (#5645) (#5795)
* adds permission checks to custom fields

* adds permission checks to custom fieldsets

* adds separate permissions for custom fieldsets

* check for permissions in views

* Removes custom fieldsets from permissions config

* Proxy the authorization for custom fieldsets down to custom fields.

This allows us to use the existing permissions in use and have more semantically correct authorization checks for custom fieldsets.

* simplifies the authorization check for the custom fields overview

* removes special handling of custom fieldsets in base policy

I just realised that this code duplicates the logic from the custom fieldset policy.
Since we are checking for the authorization of custom fields anyway, we can just use the columnName for the fields.

* cleanup of unused imports
2018-07-12 18:28:20 -07:00
snipe 1d130b4a89 Fixed asset model permission not granted for edit 2018-03-07 18:22:49 -08:00
snipe c4db8d37c2 Fixed #5168 - users without superadmin could not see custom fields UI even if granted 2018-03-07 13:37:37 -08:00
Daniel Meltzer 9ee2c6be57 Api tests2 (#5098)
* Cleanup

* API tests for asset models and related cleanup/improvements

* Api license test.  Tests incomplete because create/update/destroy are not implemented yet in the controller

* API Category tests.

* Manufacturers API Test.

* Implement License Create/Update/Delete Methods for API and enable test.

* Add missing gate for api.  Fixes only superadmins being able to generate Personal Access Toekns
2018-02-25 12:10:02 -08:00
snipe c242abb42e Added Company policy to fix company deletion issue 2018-01-19 17:51:28 -08:00
snipe defed52caa Fixed #4596 - manufacturer gate 2017-12-07 20:59:55 -08:00
Daniel Meltzer 3cea12565b Add missing policies (#4330)
* Add Authorizable trait and interface to our user model so we have access to User::can/User::cant.  We should take a look at where else our user model has diverged from Larvel since it was created...

* Policy cleanup/fixes.

This commit adds policies for the missing backend/"settings" areas.  The
permissions were implemented a while back but the policies did not, so
authorizing actions was failing.

In addition, this condenses a lot of code in the policies into base
classes.  Most of the files were identical except for table names, so we
move all of the checks into a base class and override the table name in
each policy.

* Use a better name and permission for the check in the default layout.
2017-10-27 18:01:11 -07:00
snipe d4e3ea1412 Derp 2017-10-07 15:07:31 -07:00
snipe c5462c5f1f Not sure why this isn’t working… commenting it out for now 2017-10-07 14:52:00 -07:00
snipe 8c406e8e55 Additional auth policies 2017-10-07 14:49:47 -07:00
snipe 841e3efe96 Add passport commands to boot() to allow us to call them via PHP 2017-04-27 07:09:46 -07:00
snipe 93a087b29a Set longer token expiration 2017-01-11 14:50:26 -08:00
snipe b5ddd9ab0a More vue/api work 2017-01-11 03:38:55 -08:00
Daniel Meltzer cd8c585377 Discussion: Moving to policies for controller based authorization (#3080)
* Make delete routes work.  We put a little form in the modal that spoofs the delete field.

* Fix route on creating a user.

* Fix redundant id parameter.

* Port acceptance tests to new urls.

* Initial work on migrating to model based policies instead of global gates.  Will allow for much more detailed permissions bits in the future.

* This needs to stay for the dashboard checks.

* Add user states for permissions to build tests.

* Build up unit tests for gates/permissions.  Move accessories/consumables/assets to policies instead of in authserviceprovider

* Migrate various locations to new syntax.  Update test to be more specific

* Fix functional tests.

Add an artisan command for installing a settings setup on travis-ci

* Try a different id... Need to come up with a better way of passing the id for tests that need an existing one.

* Try to fix travis

* Update urls to use routes and not hardcode old paths.  Also fix some migration errors found along the way.:

* Add a environment for travis functional tests.

* Adjust config file to make travis use it.

* Use redirect()->route instead of redirect()-to

* Dump all failures in the output directory if travis fails.

* Cleanups and minor fixes.

* Adjust the supplier modelfactory to comply with new validation restrictions.

* Some test fixes.

* Locales can be longer than 5 characters according to faker... fex gez_ET.  Increase lenght in mysql and add a validation

* Update test database dump to latest migrations.
2016-12-19 11:04:28 -08:00
snipe 25f60264bd Passport scaffolding 2016-12-14 10:06:05 -08:00
snipe b83f73f7d6 Updated providers for 5.3 2016-12-14 04:32:24 -08:00
snipe cbfcf959f9 Allow certain users to override 2FA with permission 2016-10-31 16:52:25 -07:00
Brady Wetherington 7ca7877740 Fix mismerged code. (#2705) 2016-09-28 22:57:19 -07:00
snipe a8f79369ee Added components checkout gate 2016-09-07 01:15:14 -07:00
snipe 4ffea7ceaa Fixes #2406 - added missing gate for assets.edit 2016-08-09 16:38:43 -07:00
snipe 8246a319a2 Fixes #2363 and #1097 2016-08-02 00:54:38 -07:00
snipe 85232c47da Merge branch 'develop' of github.com:snipe/snipe-it into develop 2016-07-28 21:31:58 -07:00
snipe 47f6635992 A few more permissions tweaks 2016-07-28 21:31:53 -07:00
Daniel Meltzer eef8d1609e Small fixes (#2350)
* components.view should point to view, not create

* Fix comment

* Rename variable to accurately reflect its responsibility

* Fix line breaks in serial key, remove places where adding line breaks makes no sense.  Fixes #2344
2016-07-28 20:59:42 -07:00
snipe 5de6b8e016 Added gates to authservice provider for finer tuned permissions 2016-06-02 02:40:49 -07:00
snipe fe00b0e401 Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00