Apply fix around view-assets to pass request parameter and profile controller to address request parameter

iryadifarhan · iryadifarhan · commit d4561581adc3 · 2025-11-27T13:42:47.000+07:00
diff --git a/app/Http/Controllers/Api/ProfileController.php b/app/Http/Controllers/Api/ProfileController.php
@@ -14,6 +14,7 @@
 use Illuminate\Contracts\Validation\Factory as ValidationFactory;
 use Illuminate\Support\Facades\Gate;
 use App\Models\CustomField;
+use App\Models\User;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Http\JsonResponse;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
@@ -179,10 +180,17 @@ public function showApiTokens() : JsonResponse
      *@since [v8.1.16]
      * @author [Godfrey Martinez] [<gmartinez@grokability.com>]
      */
-    public function eulas(ProfileTransformer $transformer)
+    public function eulas(ProfileTransformer $transformer, Request $request)
     {
-        // Only return this user's EULAs
-        $eulas = auth()->user()->eulas;
+        if($request->filled('user_id') && $request->input('user_id') != 0) {
+            // Return selected user's EULAs
+            $eulas = User::find($request->input('user_id'))->eulas;
+        }
+        else {
+            // Only return this user's EULAs
+            $eulas = auth()->user()->eulas;
+        }
+
         return response()->json(
             $transformer->transformFiles($eulas, $eulas->count())
         );
diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php
@@ -5,6 +5,7 @@
 use App\Http\Requests\ImageUploadRequest;
 use App\Http\Transformers\ProfileTransformer;
 use App\Models\Actionlog;
+use App\Models\Asset;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\CurrentInventory;
@@ -249,7 +250,10 @@ public function getStoredEula($filename) : Response | BinaryFileResponse | Redir
         $logentry = Actionlog::where('filename', $filename)->first();
 
         // Make sure the user has permission to view this file
-        if (auth()->id() != $logentry->target_id) {
+        // Also allow if the user (manager) able to view both users and assets
+        $allowed_to_view_users_assets = Gate::allows('view', User::class) && Gate::allows('view', Asset::class);
+
+        if (auth()->id() != $logentry->target_id && !$allowed_to_view_users_assets) {
             return redirect()->route('account')->with('error', trans('general.generic_model_not_found', ['model' => 'file']));
         }
 
diff --git a/resources/views/account/view-assets.blade.php b/resources/views/account/view-assets.blade.php
@@ -759,7 +759,7 @@ class="table table-striped snipe-table table-hover"
                     data-sort-order="asc"
                     data-sort-name="name"
                     class="table table-striped snipe-table table-hover"
-                    data-url="{{ route('api.self.eulas') }}"
+                    data-url="{{ route('api.self.eulas', ['user_id' => e(request('user_id'))]) }}"
                     data-export-options='{
                     "fileName": "export-eula-{{ str_slug($user->username) }}-{{ date('Y-m-d') }}",
                     "ignoreColumn": ["actions","image","change","checkbox","checkincheckout","delete","purchasecost", "icon"]
