Merge pull request #10662 from snipe/fixes/tighter_security_on_select_lists

snipe · web-flow · commit 10c26f38c4cd · 2022-02-11T12:48:55.000-08:00
Added additional gate for selectlists
diff --git a/app/Http/Controllers/Api/AssetModelsController.php b/app/Http/Controllers/Api/AssetModelsController.php
@@ -234,6 +234,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $assetmodels = AssetModel::select([
             'models.id',
             'models.name',
diff --git a/app/Http/Controllers/Api/CategoriesController.php b/app/Http/Controllers/Api/CategoriesController.php
@@ -148,7 +148,7 @@ public function destroy($id)
      */
     public function selectlist(Request $request, $category_type = 'asset')
     {
-
+        $this->authorize('view.selectlists');
         $categories = Category::select([
             'id',
             'name',
diff --git a/app/Http/Controllers/Api/CompaniesController.php b/app/Http/Controllers/Api/CompaniesController.php
@@ -159,7 +159,7 @@ public function destroy($id)
      */
     public function selectlist(Request $request)
     {
-
+        $this->authorize('view.selectlists');
         $companies = Company::select([
             'companies.id',
             'companies.name',
diff --git a/app/Http/Controllers/Api/DepartmentsController.php b/app/Http/Controllers/Api/DepartmentsController.php
@@ -168,6 +168,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $departments = Department::select([
             'id',
             'name',
diff --git a/app/Http/Controllers/Api/LocationsController.php b/app/Http/Controllers/Api/LocationsController.php
@@ -223,6 +223,8 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
+
         $locations = Location::select([
             'locations.id',
             'locations.name',
diff --git a/app/Http/Controllers/Api/ManufacturersController.php b/app/Http/Controllers/Api/ManufacturersController.php
@@ -155,6 +155,7 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
         $manufacturers = Manufacturer::select([
             'id',
             'name',
diff --git a/app/Http/Controllers/Api/SuppliersController.php b/app/Http/Controllers/Api/SuppliersController.php
@@ -155,6 +155,8 @@ public function destroy($id)
     public function selectlist(Request $request)
     {
 
+        $this->authorize('view.selectlists');
+
         $suppliers = Supplier::select([
             'id',
             'name',
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
@@ -156,6 +156,8 @@ public function boot()
             return $user->hasAccess('self.checkout_assets');
         });
 
+        // This is largely used to determine whether to display the gear icon sidenav 
+        // in the left-side navigation
         Gate::define('backend.interact', function ($user) {
             return $user->can('view', Statuslabel::class)
                 || $user->can('view', AssetModel::class)
@@ -168,7 +170,21 @@ public function boot()
                 || $user->can('view', Manufacturer::class)
                 || $user->can('view', CustomField::class)
                 || $user->can('view', CustomFieldset::class)                
-                || $user->can('view', Depreciation::class);
+                || $user->can('view', Depreciation::class); 
+        });
+
+
+        // This  determines whether or not an API user should be able to get the selectlists.
+        // This can seem a little confusing, since view properties may not have been granted
+        // to the logged in API user, but creating assets, licenses, etc won't work 
+        // if the user can't view and interact with the select lists.
+        Gate::define('view.selectlists', function ($user) {
+            return $user->can(['create','update'], Asset::class) 
+                || $user->can(['create','update'], License::class)   
+                || $user->can(['create','update'], Component::class)
+                || $user->can(['create','update'], Consumable::class)   
+                || $user->can(['create','update'], Accessory::class)   
+                || $user->can(['create','update'], User::class);   
         });
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,7 @@ public function destroy($id)`
`234`	`234`	`public function selectlist(Request $request)`
`235`	`235`	`{`
`236`	`236`
	`237`	`+ $this->authorize('view.selectlists');`
`237`	`238`	`$assetmodels = AssetModel::select([`
`238`	`239`	`'models.id',`
`239`	`240`	`'models.name',`
Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ public function destroy($id)`
`148`	`148`	`*/`
`149`	`149`	`public function selectlist(Request $request, $category_type = 'asset')`
`150`	`150`	`{`
`151`		`-`
	`151`	`+ $this->authorize('view.selectlists');`
`152`	`152`	`$categories = Category::select([`
`153`	`153`	`'id',`
`154`	`154`	`'name',`
Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ public function destroy($id)`
`159`	`159`	`*/`
`160`	`160`	`public function selectlist(Request $request)`
`161`	`161`	`{`
`162`		`-`
	`162`	`+ $this->authorize('view.selectlists');`
`163`	`163`	`$companies = Company::select([`
`164`	`164`	`'companies.id',`
`165`	`165`	`'companies.name',`
Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,7 @@ public function destroy($id)`
`168`	`168`	`public function selectlist(Request $request)`
`169`	`169`	`{`
`170`	`170`
	`171`	`+ $this->authorize('view.selectlists');`
`171`	`172`	`$departments = Department::select([`
`172`	`173`	`'id',`
`173`	`174`	`'name',`
Original file line number	Diff line number	Diff line change
`@@ -223,6 +223,8 @@ public function destroy($id)`
`223`	`223`	`public function selectlist(Request $request)`
`224`	`224`	`{`
`225`	`225`
	`226`	`+ $this->authorize('view.selectlists');`
	`227`	`+`
`226`	`228`	`$locations = Location::select([`
`227`	`229`	`'locations.id',`
`228`	`230`	`'locations.name',`
Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,7 @@ public function destroy($id)`
`155`	`155`	`public function selectlist(Request $request)`
`156`	`156`	`{`
`157`	`157`
	`158`	`+ $this->authorize('view.selectlists');`
`158`	`159`	`$manufacturers = Manufacturer::select([`
`159`	`160`	`'id',`
`160`	`161`	`'name',`
Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,8 @@ public function destroy($id)`
`155`	`155`	`public function selectlist(Request $request)`
`156`	`156`	`{`
`157`	`157`
	`158`	`+ $this->authorize('view.selectlists');`
	`159`	`+`
`158`	`160`	`$suppliers = Supplier::select([`
`159`	`161`	`'id',`
`160`	`162`	`'name',`