From 3d9d18a0d56e597c9eb1aecbe231294f75a16cfb Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 19:22:23 +0100
Subject: [PATCH 01/29] Fixed weird CSS quirk

Signed-off-by: snipe <snipe@snipe.net>
---
 public/css/build/app.css             | 3 +++
 public/css/build/overrides.css       | 3 +++
 public/css/dist/all.css              | 6 ++++++
 public/mix-manifest.json             | 6 +++---
 resources/assets/less/overrides.less | 5 +++++
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/public/css/build/app.css b/public/css/build/app.css
index f139c052cf..b6c2073aeb 100644
--- a/public/css/build/app.css
+++ b/public/css/build/app.css
@@ -1429,6 +1429,9 @@ input[type="radio"]:checked::before {
 .bootstrap-table .fixed-table-container .table tbody tr .card-view {
   display: table-row !important;
 }
+.form-control-static {
+  padding-top: 0px;
+}
 td.text-right.text-padding-number-cell {
   padding-right: 30px !important;
   white-space: nowrap;
diff --git a/public/css/build/overrides.css b/public/css/build/overrides.css
index aa8e28acbb..34a882ff8b 100644
--- a/public/css/build/overrides.css
+++ b/public/css/build/overrides.css
@@ -1050,6 +1050,9 @@ input[type="radio"]:checked::before {
 .bootstrap-table .fixed-table-container .table tbody tr .card-view {
   display: table-row !important;
 }
+.form-control-static {
+  padding-top: 0px;
+}
 td.text-right.text-padding-number-cell {
   padding-right: 30px !important;
   white-space: nowrap;
diff --git a/public/css/dist/all.css b/public/css/dist/all.css
index 5d809f514e..0924af427a 100644
--- a/public/css/dist/all.css
+++ b/public/css/dist/all.css
@@ -22764,6 +22764,9 @@ input[type="radio"]:checked::before {
 .bootstrap-table .fixed-table-container .table tbody tr .card-view {
   display: table-row !important;
 }
+.form-control-static {
+  padding-top: 0px;
+}
 td.text-right.text-padding-number-cell {
   padding-right: 30px !important;
   white-space: nowrap;
@@ -24337,6 +24340,9 @@ input[type="radio"]:checked::before {
 .bootstrap-table .fixed-table-container .table tbody tr .card-view {
   display: table-row !important;
 }
+.form-control-static {
+  padding-top: 0px;
+}
 td.text-right.text-padding-number-cell {
   padding-right: 30px !important;
   white-space: nowrap;
diff --git a/public/mix-manifest.json b/public/mix-manifest.json
index e4dee94e3d..37f6ae70bb 100644
--- a/public/mix-manifest.json
+++ b/public/mix-manifest.json
@@ -2,8 +2,8 @@
     "/js/build/app.js": "/js/build/app.js?id=19253af36b58ed3fb6770c7bb944f079",
     "/css/dist/skins/skin-black-dark.css": "/css/dist/skins/skin-black-dark.css?id=78bfb1c7b5782df4fb0ac7e36f80f847",
     "/css/dist/skins/_all-skins.css": "/css/dist/skins/_all-skins.css?id=503d0b09e157a22f555e3670d1ec9bb5",
-    "/css/build/overrides.css": "/css/build/overrides.css?id=2bfc7b71d951c5ac026dbc034f7373b1",
-    "/css/build/app.css": "/css/build/app.css?id=4b4c2f1225d59efa7a22b76f7bbe39d8",
+    "/css/build/overrides.css": "/css/build/overrides.css?id=f2822e504d454229b662569ee39c579d",
+    "/css/build/app.css": "/css/build/app.css?id=945d335018cdbccc366d239b6c7d67d6",
     "/css/build/AdminLTE.css": "/css/build/AdminLTE.css?id=4ea0068716c1bb2434d87a16d51b98c9",
     "/css/dist/skins/skin-yellow.css": "/css/dist/skins/skin-yellow.css?id=7b315b9612b8fde8f9c5b0ddb6bba690",
     "/css/dist/skins/skin-yellow-dark.css": "/css/dist/skins/skin-yellow-dark.css?id=f6b2e7fa795596ac4754500c9c30eacc",
@@ -19,7 +19,7 @@
     "/css/dist/skins/skin-blue.css": "/css/dist/skins/skin-blue.css?id=a82b065847bf3cd5d713c04ee8dc86c6",
     "/css/dist/skins/skin-blue-dark.css": "/css/dist/skins/skin-blue-dark.css?id=7aacfabbafd138c5af6420609f97820d",
     "/css/dist/skins/skin-black.css": "/css/dist/skins/skin-black.css?id=76482123f6c70e866d6b971ba91de7bb",
-    "/css/dist/all.css": "/css/dist/all.css?id=12e96a25d0dc3ee39e9d3ce97044fbbf",
+    "/css/dist/all.css": "/css/dist/all.css?id=8867854784ed3c7ec07d84940894fd47",
     "/css/dist/signature-pad.css": "/css/dist/signature-pad.css?id=6a89d3cd901305e66ced1cf5f13147f7",
     "/css/dist/signature-pad.min.css": "/css/dist/signature-pad.min.css?id=6a89d3cd901305e66ced1cf5f13147f7",
     "/js/select2/i18n/af.js": "/js/select2/i18n/af.js?id=4f6fcd73488ce79fae1b7a90aceaecde",
diff --git a/resources/assets/less/overrides.less b/resources/assets/less/overrides.less
index e072e4b1e4..ab932ddfbf 100644
--- a/resources/assets/less/overrides.less
+++ b/resources/assets/less/overrides.less
@@ -1165,6 +1165,11 @@ input[type="radio"]:checked::before {
   display: table-row !important;
 }
 
+.form-control-static {
+  padding-top: 0px;
+}
+
+
 td.text-right.text-padding-number-cell {
   padding-right: 30px !important;
   white-space: nowrap;

From c7280953dd2f00ad6c6a3513b0c93773e2055b35 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:08:32 +0100
Subject: [PATCH 02/29] Added/updated tests

Signed-off-by: snipe <snipe@snipe.net>
---
 tests/Feature/Users/Api/UpdateUserTest.php | 39 +++++++--
 tests/Feature/Users/Ui/UpdateUserTest.php  | 96 ++++++++++++++++++++--
 2 files changed, 122 insertions(+), 13 deletions(-)

diff --git a/tests/Feature/Users/Api/UpdateUserTest.php b/tests/Feature/Users/Api/UpdateUserTest.php
index e70471770f..a581256dbf 100644
--- a/tests/Feature/Users/Api/UpdateUserTest.php
+++ b/tests/Feature/Users/Api/UpdateUserTest.php
@@ -109,7 +109,7 @@ class UpdateUserTest extends TestCase
                 'password' => 'super-secret',
                 'password_confirmation' => 'super-secret',
                 'email' => 'mabel@onlymurderspod.com',
-                'permissions' => '{"a.new.permission":"1"}',
+                //'permissions' => '{"a.new.permission":"1"}',
                 'activated' => true,
                 'phone' => '619-555-5555',
                 'jobtitle' => 'Host',
@@ -136,7 +136,7 @@ class UpdateUserTest extends TestCase
         $this->assertEquals('mabel', $user->username, 'Username was not updated');
         $this->assertTrue(Hash::check('super-secret', $user->password), 'Password was not updated');
         $this->assertEquals('mabel@onlymurderspod.com', $user->email, 'Email was not updated');
-        $this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated');
+        //$this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated');
         $this->assertTrue((bool) $user->activated, 'User not marked as activated');
         $this->assertEquals('619-555-5555', $user->phone, 'Phone was not updated');
         $this->assertEquals('Host', $user->jobtitle, 'Job title was not updated');
@@ -162,7 +162,7 @@ class UpdateUserTest extends TestCase
 
     public function testApiUsersCanBeActivatedWithNumber()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => 0]);
 
         $this->actingAsForApi($admin)
@@ -175,7 +175,7 @@ class UpdateUserTest extends TestCase
 
     public function testApiUsersCanBeActivatedWithBooleanTrue()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => false]);
 
         $this->actingAsForApi($admin)
@@ -188,7 +188,7 @@ class UpdateUserTest extends TestCase
 
     public function testApiUsersCanBeDeactivatedWithNumber()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => true]);
 
         $this->actingAsForApi($admin)
@@ -201,7 +201,7 @@ class UpdateUserTest extends TestCase
 
     public function testApiUsersCanBeDeactivatedWithBooleanFalse()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => true]);
 
         $this->actingAsForApi($admin)
@@ -212,6 +212,33 @@ class UpdateUserTest extends TestCase
         $this->assertEquals(0, $user->refresh()->activated);
     }
 
+    public function testEditingUsersCannotEditEscalationFieldsForAdmins()
+    {
+        $hashed_original = Hash::make('!!094850394680980380kfejlskjfl');
+        $hashed_new = Hash::make('!ABCDEFGIJKL123!!!');
+        $admin = User::factory()->editUsers()->create();
+        $user = User::factory()->admin()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => 1]);
+
+
+        $this->assertDatabaseHas('users', [
+            'id' => $user->id,
+            'username' => 'brandnewuser',
+            'email' => 'brandnewemail@example.org',
+            'activated' => 1,
+            'password' => $hashed_original,
+        ]);
+
+        $this->actingAsForApi($admin)
+            ->patch(route('api.users.update', $user), [
+                'username' => 'testnewusername',
+                'email' => 'testnewemail@example.org',
+                'activated' => 0,
+                'password' => $hashed_new,
+            ]);
+
+        $this->assertEquals(0, $user->refresh()->activated);
+
+    }
     public function testUsersScopedToCompanyDuringUpdateWhenMultipleFullCompanySupportEnabled()
     {
         $this->settings->enableMultipleFullCompanySupport();
diff --git a/tests/Feature/Users/Ui/UpdateUserTest.php b/tests/Feature/Users/Ui/UpdateUserTest.php
index 4728531be6..2a82cde3ca 100644
--- a/tests/Feature/Users/Ui/UpdateUserTest.php
+++ b/tests/Feature/Users/Ui/UpdateUserTest.php
@@ -7,17 +7,18 @@ use App\Models\Company;
 use App\Models\User;
 use Error;
 use Tests\TestCase;
+use Illuminate\Support\Facades\Hash;
 
 class UpdateUserTest extends TestCase
 {
     public function testPageRenders()
     {
-        $this->actingAs(User::factory()->superuser()->create())
+        $this->actingAs(User::factory()->editUsers()->create())
             ->get(route('users.edit', User::factory()->create()->id))
             ->assertOk();
     }
 
-    public function testCannotViewEditPageForSoftDeletedUser()
+    public function testCanViewEditPageForSoftDeletedUser()
     {
         $user = User::factory()->trashed()->create();
 
@@ -28,7 +29,7 @@ class UpdateUserTest extends TestCase
 
     public function testUsersCanBeActivatedWithNumber()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => 0]);
 
         $this->actingAs($admin)
@@ -43,7 +44,7 @@ class UpdateUserTest extends TestCase
 
     public function testUsersCanBeActivatedWithBooleanTrue()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => false]);
 
         $this->actingAs($admin)
@@ -58,7 +59,7 @@ class UpdateUserTest extends TestCase
 
     public function testUsersCanBeDeactivatedWithNumber()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => true]);
 
         $this->actingAs($admin)
@@ -73,7 +74,7 @@ class UpdateUserTest extends TestCase
 
     public function testUsersCanBeDeactivatedWithBooleanFalse()
     {
-        $admin = User::factory()->superuser()->create();
+        $admin = User::factory()->editUsers()->create();
         $user = User::factory()->create(['activated' => true]);
 
         $this->actingAs($admin)
@@ -88,7 +89,7 @@ class UpdateUserTest extends TestCase
 
     public function testUsersUpdatingThemselvesDoNotDeactivateTheirAccount()
     {
-        $admin = User::factory()->superuser()->create(['activated' => true]);
+        $admin = User::factory()->editUsers()->create(['activated' => true]);
 
         $this->actingAs($admin)
             ->put(route('users.update', $admin), [
@@ -99,6 +100,87 @@ class UpdateUserTest extends TestCase
         $this->assertEquals(1, $admin->refresh()->activated);
     }
 
+    public function testEditingUsersCannotEditEscalationFieldsForAdmins()
+    {
+        $admin = User::factory()->editUsers()->create(['activated' => true]);
+        $hashed_original = Hash::make('!!094850394680980380kfejlskjfl');
+        $hashed_new = Hash::make('!ABCDEFGIJKL123!!!');
+        $user = User::factory()->admin()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => true]);
+
+        $this->assertDatabaseHas('users', [
+            'id' => $user->id,
+            'username' => 'brandnewuser',
+            'email' => 'brandnewemail@example.org',
+            'activated' => 1,
+            'password' => $hashed_original,
+        ]);
+
+        $this->actingAs($admin)
+            ->put(route('users.update', $user), [
+                'username' => 'testnewusername',
+                'email' => 'testnewemail@example.org',
+                'activated' => 0,
+                'password' => 'super-secret',
+            ]);
+
+        $this->assertDatabaseHas('users', [
+            'id' => $user->id,
+            'username' => $user->username,
+            'email' => $user->email,
+            'activated' => $user->activated,
+            'password' => $hashed_original,
+        ]);
+
+        $this->assertEquals('brandnewuser', $user->refresh()->username);
+        $this->assertEquals('brandnewemail@example.org', $user->refresh()->email);
+        $this->assertEquals(1, $user->refresh()->activated);
+        $this->assertNotEquals(Hash::check('super-secret', $user->password), $user->refresh()->password);
+        $this->assertNotEquals('testnewusername', $user->refresh()->username);
+        $this->assertNotEquals('testnewemail@example.org', $user->refresh()->email);
+        $this->assertNotEquals(0, $user->refresh()->activated);
+        $this->assertNotEquals(Hash::check('super-secret', $user->password), $user->refresh()->password);
+    }
+
+    public function testAdminUsersCannotEditFieldsForSuperAdmins()
+    {
+        $admin = User::factory()->admin()->create(['activated' => true]);
+        $hashed_original = Hash::make('my-awesome-password');
+        $user = User::factory()->superuser()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => true]);
+
+        $this->assertDatabaseHas('users', [
+            'id' => $user->id,
+            'username' => 'brandnewuser',
+            'email' => 'brandnewemail@example.org',
+            'activated' => 1,
+            'password' => $hashed_original,
+        ]);
+
+        $this->actingAs($admin)
+            ->put(route('users.update', $user), [
+                'username' => 'testnewusername',
+                'email' => 'testnewemail@example.org',
+                'activated' => 0,
+                'password' => 'super-secret-new-password',
+            ]);
+
+        $this->assertDatabaseHas('users', [
+            'id' => $user->id,
+            'username' => $user->username,
+            'email' => $user->email,
+            'activated' => $user->activated,
+            'password' => $hashed_original,
+        ]);
+
+        $this->assertEquals('brandnewuser', $user->refresh()->username);
+        $this->assertEquals('brandnewemail@example.org', $user->refresh()->email);
+        $this->assertEquals(1, $user->refresh()->activated);
+        $this->assertTrue(Hash::check('my-awesome-password', $user->password), $user->refresh()->password);
+        $this->assertNotEquals('testnewusername', $user->refresh()->username);
+        $this->assertNotEquals('testnewemail@example.org', $user->refresh()->email);
+        $this->assertNotTrue(Hash::check('super-secret-new-password', $user->password), $user->refresh()->password);
+    }
+
+
     public function testMultiCompanyUserCannotBeMovedIfHasAssetInDifferentCompany()
     {
         $this->settings->enableMultipleFullCompanySupport();

From c232f490bc60d0e7552c5eac8c0c0a2f7c056602 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:08:40 +0100
Subject: [PATCH 03/29] Show user log

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/view.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/users/view.blade.php b/resources/views/users/view.blade.php
index b17f615661..4bb7055a32 100755
--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@@ -994,7 +994,7 @@
                     data-sort-order="desc"
                     id="usersHistoryTable"
                     class="table table-striped snipe-table"
-                    data-url="{{ route('api.activity.index', ['target_id' => $user->id, 'target_type' => 'user']) }}"
+                    data-url="{{ route('api.activity.index', ['target_id' => $user->id, 'item_type' => User::class]) }}"
                     data-export-options='{
                 "fileName": "export-{{ str_slug($user->present()->fullName ) }}-history-{{ date('Y-m-d') }}",
                 "ignoreColumn": ["actions","image","change","checkbox","checkincheckout","icon"]

From a98d3fb4dca85c70939e2b1e7a5f7620cb14e71f Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:09:17 +0100
Subject: [PATCH 04/29] Check for the format of the permissions (string,
 object, array)

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Models/User.php | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/app/Models/User.php b/app/Models/User.php
index 1cb00cece5..4fc176da30 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -203,11 +203,19 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
     {
         $user_groups = $this->groups;
         if (($this->permissions == '') && (count($user_groups) == 0)) {
-
             return false;
         }
 
-        $user_permissions = json_decode($this->permissions, true);
+        $user_permissions = $this->permissions;
+
+        if (is_object($this->permissions)) {
+            $user_permissions = json_decode(json_encode($this->permissions), true);
+        }
+
+        if (is_string($this->permissions)) {
+            $user_permissions = json_decode($this->permissions, true);
+        }
+
 
         $is_user_section_permissions_set = ($user_permissions != '') && array_key_exists($section, $user_permissions);
         //If the user is explicitly granted, return true
@@ -261,6 +269,18 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
         return $this->checkPermissionSection('superuser');
     }
 
+    /**
+     * Checks if the user is an admin
+     *
+     * @author A. Gianotto <snipe@snipe.net>
+     * @since  [v8.1.18]
+     * @return bool
+     */
+    public function isAdmin()
+    {
+        return $this->checkPermissionSection('admin');
+    }
+
 
     /**
      * Checks if the user can edit their own profile

From 0fe49e04bf59787bcaaa67321d6c4d156377c2c6 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:09:27 +0100
Subject: [PATCH 05/29] Attempt to use a gate here?

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Importer/UserImporter.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/app/Importer/UserImporter.php b/app/Importer/UserImporter.php
index 2d5cc3d730..21f7b44086 100644
--- a/app/Importer/UserImporter.php
+++ b/app/Importer/UserImporter.php
@@ -7,6 +7,7 @@ use App\Models\Department;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\WelcomeNotification;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Password;
 
@@ -81,6 +82,7 @@ class UserImporter extends ItemImporter
             $this->item['username'] = $user_formatted_array['username'];
         }
 
+
         // Check if a numeric ID was passed. If it does, use that above all else.
         if ((array_key_exists('id', $this->item) && ($this->item['id'] != "") && (is_numeric($this->item['id']))))  {
             $user = User::find($this->item['id']);
@@ -90,12 +92,22 @@ class UserImporter extends ItemImporter
 
         if ($user) {
 
+            // If the user does not want to update existing values, only add new ones, bail out
             if (! $this->updating) {
                 Log::debug('A matching User '.$this->item['name'].' already exists.  ');
                 return;
             }
+
             $this->log('Updating User');
+
+            // Todo - check that this works
+//            if (!Gate::allows('editCurrentUser', $user)) {
+//                $user->except(['password', 'username', 'email', 'activated']);
+//            }
+
             $user->update($this->sanitizeItemForUpdating($user));
+
+            // Why do we have to do this twice? Update should
             $user->save();
 
             // Update the location of any assets checked out to this user
@@ -116,8 +128,12 @@ class UserImporter extends ItemImporter
         $this->log('No matching user, creating one');
         $user = new User();
         $user->created_by = auth()->id();
+
         $user->fill($this->sanitizeItemForStoring($user));
 
+        // TODO - check for gate here I guess
+
+
         if ($user->save()) {
             $this->log('User '.$this->item['name'].' was created');
 
@@ -143,6 +159,7 @@ class UserImporter extends ItemImporter
         $this->logError($user, 'User');
     }
 
+
     /**
      * Fetch an existing department, or create new if it doesn't exist
      *

From d9a54523883c7828c010e3c3539adb4e7d1ce4d0 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:12:10 +0100
Subject: [PATCH 06/29] Defined new gates

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Providers/AuthServiceProvider.php | 46 +++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 899df2ef14..cf2f97e974 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -108,6 +108,8 @@ class AuthServiceProvider extends ServiceProvider
         });
 
 
+
+
         /**
          * GENERAL GATES
          *
@@ -115,6 +117,49 @@ class AuthServiceProvider extends ServiceProvider
          * use in our controllers to determine if a user has access to a certain area.
          */
 
+        Gate::define('editCurrentUser', function ($user, $item) {
+
+            if ($item instanceof User) {
+                if ($item) {
+
+                    // if they can only edit users, deny them if the user is admin or superadmin
+                    if ($user->hasAccess('users.edit')) {
+                        \Log::debug('User can edit users');
+                        if ($item->isAdmin() || $item->isSuperUser()) {
+                            \Log::debug('User cannot edit admins or superusers');
+                            return false;
+                        }
+
+                        return true;
+                    }
+
+                    // if they are an admin, deny them only if the user is a superadmin
+                    if ($user->hasAccess('admin')) {
+                        \Log::debug('User is an admin');
+                        if ($item->isSuperUser()) {
+                            \Log::debug('User cannot edit superuser');
+                            return false;
+                        }
+
+                        return true;
+                    }
+
+                }
+            }
+        });
+
+
+        /**
+         * Define the demo mode gate so we have an easy way to use @can and Gate::allows()
+         */
+        Gate::define('editableOnDemo', function () {
+            if (config('app.lock_passwords')) {
+                \Log::debug('We are in demo mode');
+                return false;
+            }
+            return true;
+        });
+
         Gate::define('admin', function ($user) {
             if ($user->hasAccess('admin')) {
                 return true;
@@ -249,5 +294,6 @@ class AuthServiceProvider extends ServiceProvider
             return $user->canEditProfile();
         });
 
+
     }
 }

From 599718f84ef11e76f616c6b517c505a6075144a2 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:12:32 +0100
Subject: [PATCH 07/29] Use new gates in controllers

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php  | 17 ++++++++--
 .../Controllers/Users/UsersController.php     | 32 ++++++++++++++-----
 2 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index 15e6f7655e..52fe7184da 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -23,6 +23,7 @@ use App\Notifications\CurrentInventory;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Facades\Log;
@@ -475,8 +476,20 @@ class UsersController extends Controller
                 return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
             }
 
-            if ($request->filled('password')) {
-                $user->password = bcrypt($request->input('password'));
+            if (Gate::allows('editCurrentUser', $user)) {
+
+                if ($request->filled('password')) {
+                    $user->password = bcrypt($request->input('password'));
+                }
+
+                if ($request->filled('username')) {
+                    $user->username = $request->input('username');
+                }
+
+                if ($request->filled('email')) {
+                    $user->username = $request->input('username');
+                }
+
             }
 
             // We need to use has()  instead of filled()
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index 943d7e240b..3adc9fee77 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -23,6 +23,7 @@ use Redirect;
 use Str;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 use App\Notifications\CurrentInventory;
+use Illuminate\Support\Facades\Gate;
 
 /**
  * This controller handles all actions related to Users for
@@ -241,14 +242,12 @@ class UsersController extends Controller
         }
 
         // Update the user fields
-        $user->username = trim($request->input('username'));
-        $user->email = trim($request->input('email'));
+
         $user->first_name = $request->input('first_name');
         $user->last_name = $request->input('last_name');
         $user->two_factor_optin = $request->input('two_factor_optin') ?: 0;
         $user->locale = $request->input('locale');
         $user->employee_num = $request->input('employee_num');
-        $user->activated = $request->input('activated', 0);
         $user->jobtitle = $request->input('jobtitle', null);
         $user->phone = $request->input('phone');
         $user->location_id = $request->input('location_id', null);
@@ -260,8 +259,6 @@ class UsersController extends Controller
         $user->city = $request->input('city', null);
         $user->state = $request->input('state', null);
         $user->country = $request->input('country', null);
-        // if a user is editing themselves we should always keep activated true
-        $user->activated = $request->input('activated', $request->user()->is($user) ? 1 : 0);
         $user->zip = $request->input('zip', null);
         $user->remote = $request->input('remote', 0);
         $user->vip = $request->input('vip', 0);
@@ -270,16 +267,35 @@ class UsersController extends Controller
         $user->end_date = $request->input('end_date', null);
         $user->autoassign_licenses = $request->input('autoassign_licenses', 0);
 
+
         // Update the location of any assets checked out to this user
         Asset::where('assigned_type', User::class)
             ->where('assigned_to', $user->id)
             ->update(['location_id' => $request->input('location_id', null)]);
 
-        // Do we want to update the user password?
-        if ($request->filled('password')) {
-            $user->password = bcrypt($request->input('password'));
+
+        // check for permissions related fields and pull them out if the current user cannot edit them
+        if (Gate::allows('editCurrentUser', $user)) {
+
+            \Log::debug('Current user can edit these fields');
+            $user->username = trim($request->input('username'));
+            $user->email = trim($request->input('email'));
+            $user->activated = $request->input('activated', 0);
+
+            // Do we want to update the user password?
+            if ($request->filled('password')) {
+                $user->password = bcrypt($request->input('password'));
+            }
         }
 
+
+        // if a user is editing themselves we should always keep activated true
+        if (auth()->user()->id == $user->id) {
+            \Log::debug('User is editing themselves');
+            $user->activated = 1;
+        }
+
+
         // Update the location of any assets checked out to this user
         Asset::where('assigned_type', User::class)
             ->where('assigned_to', $user->id)

From b3c6fe5369bfefcc9b7628240bc11038fb9c8ee2 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:12:46 +0100
Subject: [PATCH 08/29] Use both new gates in user edit

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/edit.blade.php | 302 +++++++++++++++------------
 1 file changed, 171 insertions(+), 131 deletions(-)

diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index 8c1e34d1a0..c52615a312 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -78,7 +78,9 @@
       <div class="nav-tabs-custom">
         <ul class="nav nav-tabs">
           <li class="active"><a href="#info" data-toggle="tab">{{ trans('general.information') }} </a></li>
-          <li><a href="#permissions" data-toggle="tab">{{ trans('general.permissions') }} </a></li>
+            @can('admin')
+                <li><a href="#permissions" data-toggle="tab">{{ trans('general.permissions') }} </a></li>
+            @endcan
         </ul>
 
         <div class="tab-content">
@@ -93,138 +95,154 @@
 
                 <!-- Username -->
                 <div class="form-group {{ $errors->has('username') ? 'has-error' : '' }}">
-                  <label class="col-md-3 control-label" for="username">{{ trans('admin/users/table.username') }}</label>
+
+                  <label class="col-md-3 control-label" for="username">
+                      {{ trans('admin/users/table.username') }}
+                  </label>
 
                   <div class="col-md-6">
-                    @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
-                      <input
-                        class="form-control"
-                        type="text"
-                        name="username"
-                        id="username"
-                        value="{{ old('username', $user->username) }}"
-                        autocomplete="off"
-                        maxlength="191"
-                        readonly
-                        {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }}
-                        onfocus="this.removeAttribute('readonly');"
-                        {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
-                      >
 
-                    @else
-                        <!-- insert the old username so we don't break validation -->
-                         {{ trans('general.managed_ldap') }}
-                          <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
-                    @endif
-                  </div>
+                      @can('editCurrentUser', $user)
+
+                          @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
+                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}">
+                          @else
+                              <!-- insert the old username so we don't break validation -->
+                              <p class="help-block">
+                                  <x-icon type="locked" />
+                                  {{ trans('general.managed_ldap') }}
+                              </p>
+                              <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
+                          @endif
+
+                      @else
+                          <p class="help-block">
+                              <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
+                              <x-icon type="locked" />
+                              {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.username')]) }}
+                          </p>
+                      @endcan
+                  </div> <!--/col-md-6-->
 
 
-                    @if (config('app.lock_passwords') && ($user->id))
-                        <!-- disallow changing existing usernames on the demo -->
-                        <div class="col-md-8 col-md-offset-3">
-                            <p class="text-warning"><x-icon type="lock" /> {{ trans('general.feature_disabled') }}</p>
-                        </div>
-                    @endif
+                @if (!Gate::allows('editableOnDemo') && ($user->id))
+                    <!-- disallow changing existing usernames on the demo -->
+                    <div class="col-md-8 col-md-offset-3">
+                        <p class="text-warning">
+                            <x-icon type="locked" />
+                            {{ trans('general.feature_disabled') }}
+                        </p>
+                    </div>
+                @endif
 
-                    @if ($errors->first('username'))
-                        <div class="col-md-8 col-md-offset-3">
-                            {!! $errors->first('username', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
-                        </div>
-                    @endif
+                @if ($errors->first('username'))
+                    <div class="col-md-8 col-md-offset-3">
+                        {!! $errors->first('username', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                    </div>
+                @endif
 
                 </div>
 
                 <!-- Password -->
                 <div class="form-group {{ $errors->has('password') ? 'has-error' : '' }}">
+
                   <label class="col-md-3 control-label" for="password">
                     {{ trans('admin/users/table.password') }}
                   </label>
+
                   <div class="col-md-6">
-                    @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone') )
-                      <input
-                        type="password"
-                        name="password"
-                        class="form-control"
-                        id="password"
-                        value=""
-                        maxlength="500"
-                        autocomplete="off"
-                        readonly
-                        {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}
-                        onfocus="this.removeAttribute('readonly');"
-                        {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}>
-                    @else
-                      {{ trans('general.managed_ldap') }}
-                    @endif
-                    <span id="generated-password"></span>
-                    {!! $errors->first('password', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                      @can('editCurrentUser', $user)
+                        @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone') )
+                          <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}>
+                              <span id="generated-password"></span>
+                              {!! $errors->first('password', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                        @else
+                              <p class="form-control-static">
+                              {{ trans('general.managed_ldap') }}
+                              </p>
+                        @endif
+                      @else
+                          <p class="help-block">
+                              <x-icon type="locked" />
+                              {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
+                          </p>
+                    @endcan
+
                   </div>
+
                   <div class="col-md-2">
-                    @if ($user->ldap_import!='1')
+                    @if (Gate::allows('editCurrentUser', $user) && ($user->ldap_import!='1'))
                       <a href="#" class="left" id="genPassword">{{ trans('general.generate') }}</a>
                     @endif
                   </div>
                 </div>
 
+                @if ((Gate::allows('editCurrentUser', $user) && ($user->ldap_import!='1')) || str_contains(Route::currentRouteName(), 'clone'))
+                    <!-- Password Confirm -->
+                    <div class="form-group {{ $errors->has('password_confirmation') ? 'has-error' : '' }}">
+                      <label class="col-md-3 control-label" for="password_confirmation">
+                        {{ trans('admin/users/table.password_confirm') }}
+                      </label>
+                      <div class="col-md-6">
+                        <input type="password" name="password_confirmation" id="password_confirm" class="form-control" value="" maxlength="500" autocomplete="off" aria-label="password_confirmation" {{  (!$user->id) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
 
-                @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
-                <!-- Password Confirm -->
-                <div class="form-group {{ $errors->has('password_confirmation') ? 'has-error' : '' }}">
-                  <label class="col-md-3 control-label" for="password_confirmation">
-                    {{ trans('admin/users/table.password_confirm') }}
-                  </label>
-                  <div class="col-md-6">
-                    <input
-                    type="password"
-                    name="password_confirmation"
-                    id="password_confirm"
-                    class="form-control"
-                    value=""
-                    maxlength="500"
-                    autocomplete="off"
-                    aria-label="password_confirmation"
-                    readonly
-                    {{  (!$user->id) ? ' required' : '' }}
-                    onfocus="this.removeAttribute('readonly');"
-                    {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
-                    >
-                    @if (config('app.lock_passwords') && ($user->id))
-                    <p class="help-block">{{ trans('admin/users/table.lock_passwords') }}</p>
-                    @endif
-                    {!! $errors->first('password_confirmation', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
-                  </div>
-                </div>
+                        @if (!Gate::allows('editableOnDemo') && ($user->id))
+                              <p class="text-warning">
+                                  <x-icon type="locked" />
+                                {{ trans('admin/users/table.lock_passwords') }}
+                              </p>
+                        @endif
+                        {!! $errors->first('password_confirmation', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                      </div>
+                    </div>
                 @endif
 
               <!-- Activation Status (Can the user login?) -->
                   <div class="form-group {{ $errors->has('activated') ? 'has-error' : '' }}">
                           <div class="col-md-9 col-md-offset-3">
 
-                              <!-- checkbox($name, $value = 1, $checked = null, $options = array() -->
-                              @if (config('app.lock_passwords'))
+                              <!-- disallow changes to the user's login status -->
+                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('editCurrentUser', $user)) || ($user->id == auth()->user()->id))
                                   <!-- demo mode - disallow changes -->
                                   <label class="form-control form-control--disabled">
                                       <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled="disabled" aria-label="activated">
                                       {{ trans('admin/users/general.activated_help_text') }}
-
                                   </label>
-                                  <p class="text-warning"><x-icon type="lock" /> {{ trans('general.feature_disabled') }}</p>
 
-                              @elseif ($user->id === Auth::user()->id)
-                                  <!-- disallow the user from editing their own login status -->
-                                  <label class="form-control form-control--disabled">
-                                      <input type="checkbox" name="activated" value="1" checked disabled aria-label="activated">
-                                      {{ trans('admin/users/general.activated_help_text') }}
-                                  </label>
-                                  <p class="text-warning">{{ trans('admin/users/general.activated_disabled_help_text') }}</p>
+                                  @cannot('editableOnDemo')
+                                      <!-- app is locked -->
+                                      <p class="text-warning">
+                                          <x-icon type="locked" />
+                                          {{ trans('general.feature_disabled') }}
+                                      </p>
+                                  @endcannot
+
+                                  @cannot('editCurrentUser', $user)
+                                  <!-- authed user is an admin or regular user and is trying to edit someone higher -->
+                                      <p class="help-block">
+                                      <x-icon type="locked" />
+                                          {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.login_status')]) }}
+                                  </p>
+                                  @endcannot
+
+                                  @if ($user->id == auth()->user()->id)
+                                      <!-- disallow editing activation on your own account -->
+                                      <p class="help-block">
+                                          <x-icon type="locked" />
+                                          {{ trans('admin/users/general.activated_disabled_help_text') }}
+                                      </p>
+                                  @endcannot
+
                               @else
                                   <!-- everything is normal - as you were -->
                                   <label class="form-control">
                                       <input type="checkbox" value="1" name="activated"{{ ((old('activated') == '1') || ($user->activated) == '1') ? ' checked="checked"' : '' }} aria-label="activated" id="activated">
                                       {{ trans('admin/users/general.activated_help_text') }}
                                   </label>
+
                               @endif
 
+
                           </div>
                   </div>
 
@@ -232,22 +250,22 @@
                 <div class="form-group {{ $errors->has('email') ? 'has-error' : '' }}">
                   <label class="col-md-3 control-label" for="email">{{ trans('admin/users/table.email') }} </label>
                   <div class="col-md-6">
-                    <input
-                      class="form-control"
-                      type="text"
-                      name="email"
-                      id="email"
-                      maxlength="191"
-                      value="{{ old('email', $user->email) }}"
-                      {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
-                      autocomplete="off"
-                      readonly
-                      {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}
-                      onfocus="this.removeAttribute('readonly');">
-                    @if (config('app.lock_passwords') && ($user->id))
-                    <p class="help-block">{{ trans('admin/users/table.lock_passwords') }}</p>
-                    @endif
-                    {!! $errors->first('email', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                      @can('editCurrentUser', $user)
+                        <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
+                          autocomplete="off"
+                          readonly
+                          {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}
+                          onfocus="this.removeAttribute('readonly');">
+                        @if (config('app.lock_passwords') && ($user->id))
+                        <p class="help-block">{{ trans('admin/users/table.lock_passwords') }}</p>
+                        @endif
+                        {!! $errors->first('email', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
+                          @else
+                          <p class="help-block">
+                              <x-icon type="locked" />
+                                {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.email')]) }}
+                          </p>
+                      @endcan
                   </div>
                 </div>
                   
@@ -274,8 +292,19 @@
                               <!-- everything here should be what is considered optional -->
                               <br>
                               <!-- Company -->
-                              @if (\App\Models\Company::canManageUsersCompanies())
+                              @if ((Gate::allows('editCurrentUser', $user)) && (\App\Models\Company::canManageUsersCompanies()))
                                   @include ('partials.forms.edit.company-select', ['translated_name' => trans('general.select_company'), 'fieldname' => 'company_id'])
+                              @else
+                                  @if ($user->company)
+                                      <div class="form-group">
+                                          <label class="col-md-3 control-label" for="locale">{{ trans('general.company') }}</label>
+                                          <div class="col-md-6">
+                                              <p class="form-control-static">
+                                                  {{ $user->company ? $user->company->name : '' }}
+                                              </p>
+                                          </div>
+                                      </div>
+                                  @endif
                               @endif
 
 
@@ -457,7 +486,7 @@
                                       <div class="form-group">
                                           <div class="col-md-9 col-md-offset-3">
 
-                                              @if (config('app.lock_passwords'))
+                                              @if (!Gate::allows('editableOnDemo'))
 
                                                   <label class="form-control form-control--disabled" for="two_factor_optin">
                                                       <input type="checkbox" value="1" name="two_factor_optin" {{ (old('two_factor_optin', $user->two_factor_optin)) == '1' ? ' checked="checked"' : '' }} aria-label="two_factor_optin" disabled>
@@ -470,7 +499,9 @@
                                                       <input type="checkbox" value="1" name="two_factor_optin" {{ (old('two_factor_optin', $user->two_factor_optin)) == '1' ? ' checked="checked"' : '' }} aria-label="two_factor_optin">
                                                       {{ trans('admin/settings/general.two_factor') }}
                                                   </label>
-                                                  <p class="help-block">{{ trans('admin/users/general.two_factor_admin_optin_help') }}</p>
+                                                  <p class="help-block">
+                                                      {{ trans('admin/users/general.two_factor_admin_optin_help') }}
+                                                  </p>
 
                                               @endif
 
@@ -488,7 +519,9 @@
                                               <span id="two_factor_resetstatus"></span>
                                           </div>
                                           <div class="col-md-8 col-md-offset-3 two_factor_resetrow">
-                                              <p class="help-block">{{ trans('admin/settings/general.two_factor_reset_help') }}</p>
+                                              <p class="help-block">
+                                                  {{ trans('admin/settings/general.two_factor_reset_help') }}
+                                              </p>
                                           </div>
                                       </div>
                                   @endif
@@ -497,11 +530,13 @@
 
                               <!-- Groups -->
                               <div class="form-group{{ $errors->has('groups') ? ' has-error' : '' }}">
-                                  <label class="col-md-3 control-label" for="groups[]"> {{ trans('general.groups') }}</label>
+                                  <label class="col-md-3 control-label" for="groups[]">
+                                      {{ trans('general.groups') }}
+                                  </label>
                                   <div class="col-md-6">
 
                                       @if ($groups->count())
-                                          @if ((Config::get('app.lock_passwords') || (!Auth::user()->isSuperUser())))
+                                          @if ((!Gate::allows('editableOnDemo') || (!Auth::user()->isSuperUser())))
 
                                               @if (count($userGroups->keys()) > 0)
                                                   <ul>
@@ -511,27 +546,30 @@
                                                   </ul>
                                               @endif
 
-                                              <span class="help-block">{{ trans('admin/users/general.group_memberships_helpblock') }}</span>
-                                      @else
-                                       <div class="controls">
-                                        <select
-                                                name="groups[]"
-                                                aria-label="groups[]"
-                                                id="groups[]"
-                                                multiple="multiple"
-                                                class="form-control">
+                                              <p class="help-block">
+                                                  <x-icon type="locked" />
+                                                  {{ trans('admin/users/general.group_memberships_helpblock') }}
+                                              </p>
+                                          @else
+                                               <div class="controls">
+                                                <select
+                                                        name="groups[]"
+                                                        aria-label="groups[]"
+                                                        id="groups[]"
+                                                        multiple="multiple"
+                                                        class="form-control">
 
-                                            @foreach ($groups as $id => $group)
-                                                <option value="{{ $id }}"
-                                                        {{ ($userGroups->keys()->contains($id) ? ' selected="selected"' : '') }}>
-                                                    {{ $group }}
-                                                </option>
-                                            @endforeach
-                                        </select>
+                                                    @foreach ($groups as $id => $group)
+                                                        <option value="{{ $id }}"
+                                                                {{ ($userGroups->keys()->contains($id) ? ' selected="selected"' : '') }}>
+                                                            {{ $group }}
+                                                        </option>
+                                                    @endforeach
+                                                </select>
 
-                                        <span class="help-block">
-                                          {{ trans('admin/users/table.groupnotes') }}
-                                        </span>
+                                            <p class="help-block">
+                                              {{ trans('admin/users/table.groupnotes') }}
+                                            </p>
                                 </div>
                                      @endif
                                @else
@@ -552,6 +590,7 @@
             </div>
           </div><!-- /.tab-pane -->
 
+          @can('admin')
           <div class="tab-pane" id="permissions">
             <div class="col-md-12">
               @if (!Auth::user()->isSuperUser())
@@ -575,6 +614,7 @@
                 @include('partials.forms.edit.permissions-base')
             </table>
           </div><!-- /.tab-pane -->
+          @endcan
         </div><!-- /.tab-content -->
           <x-redirect_submit_options
                   index_route="users.index"

From 0cd5136052265ef78419811564daca98f6f3fd49 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:12:52 +0100
Subject: [PATCH 09/29] Added translations

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/lang/en-US/general.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/resources/lang/en-US/general.php b/resources/lang/en-US/general.php
index 433fdd1106..1588669742 100644
--- a/resources/lang/en-US/general.php
+++ b/resources/lang/en-US/general.php
@@ -4,6 +4,7 @@ return [
     '2FA_reset'             => '2FA reset',
     'accessories'			=> 'Accessories',
     'activated'			    => 'Activated',
+    'login_status'		    => 'Login Status',
     'accepted_date'         => 'Date Accepted',
     'accessory'				=> 'Accessory',
     'accessory_report'		=> 'Accessory Report',
@@ -316,6 +317,7 @@ return [
     'upload_filetypes_help' => 'Allowed filetypes are: :allowed_filetypes. Max upload size allowed is :size.',
     'uploaded'              => 'Uploaded',
     'user'					=> 'User',
+    'password'				=> 'Password',
     'accepted'			    => 'accepted',
     'declined'			    => 'declined',
     'declined_note'         => 'Declined Notes',
@@ -476,7 +478,7 @@ return [
     'update_existing_values'    => 'Update Existing Values?',
     'auto_incrementing_asset_tags_disabled_so_tags_required' => 'Generating auto-incrementing asset tags is disabled so all rows need to have the "Asset Tag" column populated.',
     'auto_incrementing_asset_tags_enabled_so_now_assets_will_be_created' => 'Note: Generating auto-incrementing asset tags is enabled so assets will be created for rows that do not have "Asset Tag" populated. Rows that do have "Asset Tag" populated will be updated with the provided information.',
-    'send_welcome_email_to_users'   => ' Send Welcome Email for new Users?',
+    'send_welcome_email_to_users'   => ' Send Welcome Email for new Users? Note that only users with a valid email address and who are marked as activated in your import file will received a welcome.',
     'send_email'                => 'Send Email',
     'call'                      => 'Call number',
     'back_before_importing'     => 'Backup before importing?',

From 1bb5dc7e69b464fb0152534068f82ebcb4e64bea Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:40:01 +0100
Subject: [PATCH 10/29] Added one more test

Signed-off-by: snipe <snipe@snipe.net>
---
 tests/Feature/Users/Ui/UpdateUserTest.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/Feature/Users/Ui/UpdateUserTest.php b/tests/Feature/Users/Ui/UpdateUserTest.php
index 2a82cde3ca..0c4578343a 100644
--- a/tests/Feature/Users/Ui/UpdateUserTest.php
+++ b/tests/Feature/Users/Ui/UpdateUserTest.php
@@ -11,6 +11,14 @@ use Illuminate\Support\Facades\Hash;
 
 class UpdateUserTest extends TestCase
 {
+
+    public function testRequiresPermission()
+    {
+        $this->actingAs(User::factory()->create())
+            ->get(route('users.edit', User::factory()->create()->id))
+            ->assertForbidden();
+    }
+
     public function testPageRenders()
     {
         $this->actingAs(User::factory()->editUsers()->create())

From a0d2cb8a03c045046fdd1595561dc191078cf527 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 20:47:20 +0100
Subject: [PATCH 11/29] Clearer (if longer) gate name

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php   |  2 +-
 app/Http/Controllers/Users/UsersController.php |  2 +-
 app/Importer/UserImporter.php                  |  2 +-
 app/Providers/AuthServiceProvider.php          |  2 +-
 resources/views/users/edit.blade.php           | 16 ++++++++--------
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index 52fe7184da..e2c74db3d1 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -476,7 +476,7 @@ class UsersController extends Controller
                 return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
             }
 
-            if (Gate::allows('editCurrentUser', $user)) {
+            if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
 
                 if ($request->filled('password')) {
                     $user->password = bcrypt($request->input('password'));
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index 3adc9fee77..ef28f6a497 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -275,7 +275,7 @@ class UsersController extends Controller
 
 
         // check for permissions related fields and pull them out if the current user cannot edit them
-        if (Gate::allows('editCurrentUser', $user)) {
+        if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
 
             \Log::debug('Current user can edit these fields');
             $user->username = trim($request->input('username'));
diff --git a/app/Importer/UserImporter.php b/app/Importer/UserImporter.php
index 21f7b44086..6a021d2b51 100644
--- a/app/Importer/UserImporter.php
+++ b/app/Importer/UserImporter.php
@@ -101,7 +101,7 @@ class UserImporter extends ItemImporter
             $this->log('Updating User');
 
             // Todo - check that this works
-//            if (!Gate::allows('editCurrentUser', $user)) {
+//            if (!Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
 //                $user->except(['password', 'username', 'email', 'activated']);
 //            }
 
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index cf2f97e974..5288a892d0 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -117,7 +117,7 @@ class AuthServiceProvider extends ServiceProvider
          * use in our controllers to determine if a user has access to a certain area.
          */
 
-        Gate::define('editCurrentUser', function ($user, $item) {
+        Gate::define('canEditSensitiveFieldsForCurrentUser', function ($user, $item) {
 
             if ($item instanceof User) {
                 if ($item) {
diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index c52615a312..0d34bfbd8a 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -102,7 +102,7 @@
 
                   <div class="col-md-6">
 
-                      @can('editCurrentUser', $user)
+                      @can('canEditSensitiveFieldsForCurrentUser', $user)
 
                           @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
                               <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}">
@@ -151,7 +151,7 @@
                   </label>
 
                   <div class="col-md-6">
-                      @can('editCurrentUser', $user)
+                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone') )
                           <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}>
                               <span id="generated-password"></span>
@@ -171,13 +171,13 @@
                   </div>
 
                   <div class="col-md-2">
-                    @if (Gate::allows('editCurrentUser', $user) && ($user->ldap_import!='1'))
+                    @if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user) && ($user->ldap_import!='1'))
                       <a href="#" class="left" id="genPassword">{{ trans('general.generate') }}</a>
                     @endif
                   </div>
                 </div>
 
-                @if ((Gate::allows('editCurrentUser', $user) && ($user->ldap_import!='1')) || str_contains(Route::currentRouteName(), 'clone'))
+                @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user) && ($user->ldap_import!='1')) || str_contains(Route::currentRouteName(), 'clone'))
                     <!-- Password Confirm -->
                     <div class="form-group {{ $errors->has('password_confirmation') ? 'has-error' : '' }}">
                       <label class="col-md-3 control-label" for="password_confirmation">
@@ -202,7 +202,7 @@
                           <div class="col-md-9 col-md-offset-3">
 
                               <!-- disallow changes to the user's login status -->
-                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('editCurrentUser', $user)) || ($user->id == auth()->user()->id))
+                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) || ($user->id == auth()->user()->id))
                                   <!-- demo mode - disallow changes -->
                                   <label class="form-control form-control--disabled">
                                       <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled="disabled" aria-label="activated">
@@ -217,7 +217,7 @@
                                       </p>
                                   @endcannot
 
-                                  @cannot('editCurrentUser', $user)
+                                  @cannot('canEditSensitiveFieldsForCurrentUser', $user)
                                   <!-- authed user is an admin or regular user and is trying to edit someone higher -->
                                       <p class="help-block">
                                       <x-icon type="locked" />
@@ -250,7 +250,7 @@
                 <div class="form-group {{ $errors->has('email') ? 'has-error' : '' }}">
                   <label class="col-md-3 control-label" for="email">{{ trans('admin/users/table.email') }} </label>
                   <div class="col-md-6">
-                      @can('editCurrentUser', $user)
+                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
                           autocomplete="off"
                           readonly
@@ -292,7 +292,7 @@
                               <!-- everything here should be what is considered optional -->
                               <br>
                               <!-- Company -->
-                              @if ((Gate::allows('editCurrentUser', $user)) && (\App\Models\Company::canManageUsersCompanies()))
+                              @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && (\App\Models\Company::canManageUsersCompanies()))
                                   @include ('partials.forms.edit.company-select', ['translated_name' => trans('general.select_company'), 'fieldname' => 'company_id'])
                               @else
                                   @if ($user->company)

From 16d18c79d7564df320e0e83a6c2bd47eba12b522 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 21:03:20 +0100
Subject: [PATCH 12/29] Fixed email editable field

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/edit.blade.php | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index 0d34bfbd8a..e749d1cfd2 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -251,11 +251,8 @@
                   <label class="col-md-3 control-label" for="email">{{ trans('admin/users/table.email') }} </label>
                   <div class="col-md-6">
                       @can('canEditSensitiveFieldsForCurrentUser', $user)
-                        <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" {{ ((config('app.lock_passwords') && ($user->id)) ? ' disabled' : '') }}
-                          autocomplete="off"
-                          readonly
-                          {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}
-                          onfocus="this.removeAttribute('readonly');">
+                        <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" autocomplete="off"
+                          readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
                         @if (config('app.lock_passwords') && ($user->id))
                         <p class="help-block">{{ trans('admin/users/table.lock_passwords') }}</p>
                         @endif

From bbde2cc4b29ac536e6da6e9893a6a7fa4aaddae2 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 21:04:11 +0100
Subject: [PATCH 13/29] Use history blade component

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/view.blade.php | 46 +++++++++-------------------
 1 file changed, 14 insertions(+), 32 deletions(-)

diff --git a/resources/views/users/view.blade.php b/resources/views/users/view.blade.php
index 4bb7055a32..2a6776836f 100755
--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@@ -987,38 +987,20 @@
           <div class="table-responsive">
 
 
-            <table
-                    data-cookie-id-table="usersHistoryTable"
-                    data-id-table="usersHistoryTable"
-                    data-side-pagination="server"
-                    data-sort-order="desc"
-                    id="usersHistoryTable"
-                    class="table table-striped snipe-table"
-                    data-url="{{ route('api.activity.index', ['target_id' => $user->id, 'item_type' => User::class]) }}"
-                    data-export-options='{
-                "fileName": "export-{{ str_slug($user->present()->fullName ) }}-history-{{ date('Y-m-d') }}",
-                "ignoreColumn": ["actions","image","change","checkbox","checkincheckout","icon"]
-                }'>
-              <thead>
-              <tr>
-                <th data-field="icon" style="width: 40px;" class="hidden-xs" data-formatter="iconFormatter">Icon</th>
-                <th data-field="created_at" data-formatter="dateDisplayFormatter" data-sortable="true">{{ trans('general.date') }}</th>
-                  <th data-field="item" data-formatter="polymorphicItemFormatter">{{ trans('general.item') }}</th>
-                  <th data-field="action_type">{{ trans('general.action') }}</th>
-                  <th data-field="target" data-formatter="polymorphicItemFormatter">{{ trans('general.target') }}</th>
-                  <th data-field="note">{{ trans('general.notes') }}</th>
-                  @if  ($snipeSettings->require_accept_signature=='1')
-                      <th data-field="signature_file" data-visible="false"  data-formatter="imageFormatter">{{ trans('general.signature') }}</th>
-                  @endif
-                  <th data-field="item.serial" data-visible="false">{{ trans('admin/hardware/table.serial') }}</th>
-                  <th data-field="admin" data-formatter="usersLinkObjFormatter">{{ trans('general.created_by') }}</th>
-                  <th data-field="remote_ip" data-visible="false" data-sortable="true">{{ trans('admin/settings/general.login_ip') }}</th>
-                  <th data-field="user_agent" data-visible="false" data-sortable="true">{{ trans('admin/settings/general.login_user_agent') }}</th>
-                  <th data-field="action_source" data-visible="false" data-sortable="true">{{ trans('general.action_source') }}</th>
-
-              </tr>
-              </thead>
-            </table>
+              <table
+                      data-columns="{{ \App\Presenters\HistoryPresenter::dataTableLayout() }}"
+                      class="table table-striped snipe-table"
+                      data-cookie-id-table="UserHistoryTable"
+                      data-id-table="UserHistoryTable"
+                      id="UserHistoryTable"
+                      data-side-pagination="server"
+                      data-sort-order="desc"
+                      data-export-options='{
+                       "fileName": "export-{{ str_slug($user->name) }}-history-{{ date('Y-m-d') }}",
+                       "ignoreColumn": ["actions","image","change","checkbox","checkincheckout","icon"]
+                     }'
+                      data-url="{{ route('api.activity.index', ['target_id' => $user->id, 'item_type' => User::class]) }}">
+              </table>
 
           </div>
         </div><!-- /.tab-pane -->

From e30881239cee992831fe2753986e74ef54222b43 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 21:08:50 +0100
Subject: [PATCH 14/29] A few more clean ups for demo mode

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/edit.blade.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index e749d1cfd2..b34624af6a 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -105,7 +105,7 @@
                       @can('canEditSensitiveFieldsForCurrentUser', $user)
 
                           @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
-                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}">
+                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}">
                           @else
                               <!-- insert the old username so we don't break validation -->
                               <p class="help-block">
@@ -171,7 +171,8 @@
                   </div>
 
                   <div class="col-md-2">
-                    @if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user) && ($user->ldap_import!='1'))
+
+                    @if (Gate::allows('editableOnDemo') && (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && ($user->ldap_import!='1'))
                       <a href="#" class="left" id="genPassword">{{ trans('general.generate') }}</a>
                     @endif
                   </div>
@@ -253,9 +254,14 @@
                       @can('canEditSensitiveFieldsForCurrentUser', $user)
                         <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" autocomplete="off"
                           readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
-                        @if (config('app.lock_passwords') && ($user->id))
-                        <p class="help-block">{{ trans('admin/users/table.lock_passwords') }}</p>
-                        @endif
+
+                          @if (!Gate::allows('editableOnDemo') && ($user->id))
+                              <p class="text-warning">
+                                  <x-icon type="locked" />
+                                  {{ trans('admin/users/table.lock_passwords') }}
+                              </p>
+                          @endif
+
                         {!! $errors->first('email', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                           @else
                           <p class="help-block">

From 4f6e40724777df3fb7e231653cda6b5e8d02858b Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 17 Jul 2025 21:13:13 +0100
Subject: [PATCH 15/29] More consistent language degarding the demo

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/edit.blade.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index b34624af6a..cc58fbc9e8 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -130,7 +130,7 @@
                     <div class="col-md-8 col-md-offset-3">
                         <p class="text-warning">
                             <x-icon type="locked" />
-                            {{ trans('general.feature_disabled') }}
+                            {{ trans('admin/users/table.lock_passwords') }}
                         </p>
                     </div>
                 @endif
@@ -166,8 +166,16 @@
                               <x-icon type="locked" />
                               {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
                           </p>
+
                     @endcan
 
+                      @if (!Gate::allows('editableOnDemo') && ($user->id))
+                          <p class="text-warning">
+                              <x-icon type="locked" />
+                              {{ trans('admin/users/table.lock_passwords') }}
+                          </p>
+                      @endif
+
                   </div>
 
                   <div class="col-md-2">
@@ -214,7 +222,7 @@
                                       <!-- app is locked -->
                                       <p class="text-warning">
                                           <x-icon type="locked" />
-                                          {{ trans('general.feature_disabled') }}
+                                          {{ trans('admin/users/table.lock_passwords') }}
                                       </p>
                                   @endcannot
 

From ca4d3f6bce993e1f4fdef876d0cb880d9cbbfb25 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 12:45:32 +0100
Subject: [PATCH 16/29] Changed gate name, removed debugging

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php  |  9 ++-
 .../Controllers/Users/UsersController.php     | 13 +---
 app/Providers/AuthServiceProvider.php         | 14 ++--
 resources/views/users/edit.blade.php          | 77 +++++++++++--------
 4 files changed, 60 insertions(+), 53 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index e2c74db3d1..32f49089ed 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -476,7 +476,8 @@ class UsersController extends Controller
                 return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
             }
 
-            if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
+            // check for permissions related fields and pull them out if the current user cannot edit them
+            if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
 
                 if ($request->filled('password')) {
                     $user->password = bcrypt($request->input('password'));
@@ -487,7 +488,11 @@ class UsersController extends Controller
                 }
 
                 if ($request->filled('email')) {
-                    $user->username = $request->input('username');
+                    $user->email = $request->input('email');
+                }
+
+                if ($request->filled('activated')) {
+                    $user->activated = $request->input('activated');
                 }
 
             }
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index ef28f6a497..139bfa5cfa 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -13,17 +13,10 @@ use App\Models\Company;
 use App\Models\Group;
 use App\Models\Setting;
 use App\Models\User;
-use Illuminate\Support\Facades\Auth;
-use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Password;
-use Illuminate\Support\Facades\Storage;
-use Redirect;
-use Str;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 use App\Notifications\CurrentInventory;
-use Illuminate\Support\Facades\Gate;
 
 /**
  * This controller handles all actions related to Users for
@@ -130,7 +123,7 @@ class UsersController extends Controller
         }
         $user->permissions = json_encode($permissions_array);
 
-        // we have to invoke the
+        // we have to invoke the form request here to handle image uploads
         app(ImageUploadRequest::class)->handleImages($user, 600, 'avatar', 'avatars', 'avatar');
 
         session()->put(['redirect_option' => $request->get('redirect_option')]);
@@ -275,9 +268,8 @@ class UsersController extends Controller
 
 
         // check for permissions related fields and pull them out if the current user cannot edit them
-        if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
+        if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
 
-            \Log::debug('Current user can edit these fields');
             $user->username = trim($request->input('username'));
             $user->email = trim($request->input('email'));
             $user->activated = $request->input('activated', 0);
@@ -291,7 +283,6 @@ class UsersController extends Controller
 
         // if a user is editing themselves we should always keep activated true
         if (auth()->user()->id == $user->id) {
-            \Log::debug('User is editing themselves');
             $user->activated = 1;
         }
 
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 5288a892d0..7fa844e127 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -101,7 +101,13 @@ class AuthServiceProvider extends ServiceProvider
          * This is where we set the superadmin permission to allow superadmins to be able to do everything within the system.
          *
          */
-        Gate::before(function ($user) {
+        Gate::before(function ($user, $ability) {
+
+            // Disallow even superadmins to edit non-editable things when in demo mode.
+            // (We have to do this to prevent jerks from trying to break the demo by editing things they shouldn't.)
+            if (($ability == 'editableOnDemo') && (config('app.lock_passwords'))) {
+                return false;
+            }
             if ($user->isSuperUser()) {
                 return true;
             }
@@ -117,14 +123,13 @@ class AuthServiceProvider extends ServiceProvider
          * use in our controllers to determine if a user has access to a certain area.
          */
 
-        Gate::define('canEditSensitiveFieldsForCurrentUser', function ($user, $item) {
+        Gate::define('canEditAuthFields', function ($user, $item) {
 
             if ($item instanceof User) {
                 if ($item) {
 
                     // if they can only edit users, deny them if the user is admin or superadmin
                     if ($user->hasAccess('users.edit')) {
-                        \Log::debug('User can edit users');
                         if ($item->isAdmin() || $item->isSuperUser()) {
                             \Log::debug('User cannot edit admins or superusers');
                             return false;
@@ -135,9 +140,7 @@ class AuthServiceProvider extends ServiceProvider
 
                     // if they are an admin, deny them only if the user is a superadmin
                     if ($user->hasAccess('admin')) {
-                        \Log::debug('User is an admin');
                         if ($item->isSuperUser()) {
-                            \Log::debug('User cannot edit superuser');
                             return false;
                         }
 
@@ -154,7 +157,6 @@ class AuthServiceProvider extends ServiceProvider
          */
         Gate::define('editableOnDemo', function () {
             if (config('app.lock_passwords')) {
-                \Log::debug('We are in demo mode');
                 return false;
             }
             return true;
diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index cc58fbc9e8..486be2da19 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -101,12 +101,12 @@
                   </label>
 
                   <div class="col-md-6">
-
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
-
+                      <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
+                    <!-- if the user is not managed by LDAP, or this is a clone operation, allow editing of the username -->
                           @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
-                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}">
+                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{ (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo')) && ($user->id)) ? ' disabled' : '' }}>
                           @else
+
                               <!-- insert the old username so we don't break validation -->
                               <p class="help-block">
                                   <x-icon type="locked" />
@@ -115,13 +115,12 @@
                               <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
                           @endif
 
-                      @else
+                         @cannot('canEditAuthFields', $user)
                           <p class="help-block">
-                              <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
                               <x-icon type="locked" />
                               {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.username')]) }}
                           </p>
-                      @endcan
+                      @endcannot
                   </div> <!--/col-md-6-->
 
 
@@ -151,9 +150,8 @@
                   </label>
 
                   <div class="col-md-6">
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone') )
-                          <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}>
+                          <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo') && ($user->id))) ? ' disabled' : '' }}>
                               <span id="generated-password"></span>
                               {!! $errors->first('password', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                         @else
@@ -161,13 +159,13 @@
                               {{ trans('general.managed_ldap') }}
                               </p>
                         @endif
-                      @else
+
+                      @cannot('canEditAuthFields', $user)
                           <p class="help-block">
                               <x-icon type="locked" />
                               {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
                           </p>
-
-                    @endcan
+                      @endcan
 
                       @if (!Gate::allows('editableOnDemo') && ($user->id))
                           <p class="text-warning">
@@ -180,20 +178,27 @@
 
                   <div class="col-md-2">
 
-                    @if (Gate::allows('editableOnDemo') && (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && ($user->ldap_import!='1'))
+                    @if (Gate::allows('editableOnDemo') && (Gate::allows('canEditAuthFields', $user)) && ($user->ldap_import!='1'))
                       <a href="#" class="left" id="genPassword">{{ trans('general.generate') }}</a>
                     @endif
                   </div>
                 </div>
 
-                @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user) && ($user->ldap_import!='1')) || str_contains(Route::currentRouteName(), 'clone'))
+                @if (($user->ldap_import!='1') || str_contains(Route::currentRouteName(), 'clone'))
                     <!-- Password Confirm -->
                     <div class="form-group {{ $errors->has('password_confirmation') ? 'has-error' : '' }}">
                       <label class="col-md-3 control-label" for="password_confirmation">
                         {{ trans('admin/users/table.password_confirm') }}
                       </label>
                       <div class="col-md-6">
-                        <input type="password" name="password_confirmation" id="password_confirm" class="form-control" value="" maxlength="500" autocomplete="off" aria-label="password_confirmation" {{  (!$user->id) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
+                        <input type="password" name="password_confirmation" id="password_confirm" class="form-control" value="" maxlength="500" autocomplete="off" aria-label="password_confirmation" {{  (!$user->id) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo')) && ($user->id)) ? ' disabled' : '' }}>
+
+                      @cannot('canEditAuthFields', $user)
+                          <p class="help-block">
+                              <x-icon type="locked" />
+                              {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
+                          </p>
+                      @endcan
 
                         @if (!Gate::allows('editableOnDemo') && ($user->id))
                               <p class="text-warning">
@@ -211,13 +216,21 @@
                           <div class="col-md-9 col-md-offset-3">
 
                               <!-- disallow changes to the user's login status -->
-                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) || ($user->id == auth()->user()->id))
+                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditAuthFields', $user)) || ($user->id == auth()->user()->id))
                                   <!-- demo mode - disallow changes -->
                                   <label class="form-control form-control--disabled">
                                       <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled="disabled" aria-label="activated">
                                       {{ trans('admin/users/general.activated_help_text') }}
                                   </label>
 
+                                  @cannot('canEditAuthFields', $user)
+                                  <!-- authed user is an admin or regular user and is trying to edit someone higher -->
+                                      <p class="help-block">
+                                      <x-icon type="locked" />
+                                          {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.login_status')]) }}
+                                  </p>
+                                  @endcannot
+
                                   @cannot('editableOnDemo')
                                       <!-- app is locked -->
                                       <p class="text-warning">
@@ -226,14 +239,6 @@
                                       </p>
                                   @endcannot
 
-                                  @cannot('canEditSensitiveFieldsForCurrentUser', $user)
-                                  <!-- authed user is an admin or regular user and is trying to edit someone higher -->
-                                      <p class="help-block">
-                                      <x-icon type="locked" />
-                                          {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.login_status')]) }}
-                                  </p>
-                                  @endcannot
-
                                   @if ($user->id == auth()->user()->id)
                                       <!-- disallow editing activation on your own account -->
                                       <p class="help-block">
@@ -259,11 +264,19 @@
                 <div class="form-group {{ $errors->has('email') ? 'has-error' : '' }}">
                   <label class="col-md-3 control-label" for="email">{{ trans('admin/users/table.email') }} </label>
                   <div class="col-md-6">
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" autocomplete="off"
-                          readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
+                          readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo') && ($user->id))) ? ' disabled' : '' }}>
 
-                          @if (!Gate::allows('editableOnDemo') && ($user->id))
+                          @cannot('canEditAuthFields', $user)
+                              <!-- authed user is an admin or regular user and is trying to edit someone higher -->
+                              <p class="help-block">
+                                  <x-icon type="locked" />
+                                  {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.email')]) }}
+                              </p>
+                          @endcannot
+
+
+                            @if (!Gate::allows('editableOnDemo') && ($user->id))
                               <p class="text-warning">
                                   <x-icon type="locked" />
                                   {{ trans('admin/users/table.lock_passwords') }}
@@ -271,12 +284,8 @@
                           @endif
 
                         {!! $errors->first('email', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
-                          @else
-                          <p class="help-block">
-                              <x-icon type="locked" />
-                                {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.email')]) }}
-                          </p>
-                      @endcan
+
+
                   </div>
                 </div>
                   
@@ -303,7 +312,7 @@
                               <!-- everything here should be what is considered optional -->
                               <br>
                               <!-- Company -->
-                              @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && (\App\Models\Company::canManageUsersCompanies()))
+                              @if ((Gate::allows('canEditAuthFields', $user)) && (\App\Models\Company::canManageUsersCompanies()))
                                   @include ('partials.forms.edit.company-select', ['translated_name' => trans('general.select_company'), 'fieldname' => 'company_id'])
                               @else
                                   @if ($user->company)

From 1d86a5476fd7493714758fb687113d5559cb8284 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 12:45:43 +0100
Subject: [PATCH 17/29] Updated language

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/lang/en-US/admin/users/table.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/lang/en-US/admin/users/table.php b/resources/lang/en-US/admin/users/table.php
index 094cdbc412..969770b213 100644
--- a/resources/lang/en-US/admin/users/table.php
+++ b/resources/lang/en-US/admin/users/table.php
@@ -17,7 +17,7 @@ return array(
     'last_login'  			=> 'Last Login',
     'last_name'  			=> 'Last Name',
     'location'  			=> 'Location',
-    'lock_passwords'		=> 'Login details cannot be changed on this installation.',
+    'lock_passwords'		=> 'Login details cannot be changed on the demo.',
     'manager' 				=> 'Manager',
     'managed_locations'     => 'Managed Locations',
     'managed_users'         => 'Managed Users',

From ce54b9a7b59e53bd35ef2ec1f161b2dc3c25191c Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 13:16:59 +0100
Subject: [PATCH 18/29] Removed duplicate alert

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/view.blade.php | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/resources/views/users/view.blade.php b/resources/views/users/view.blade.php
index 2a6776836f..c84acb00b2 100755
--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@@ -164,15 +164,6 @@
         <div class="tab-pane active" id="details">
           <div class="row">
 
-            @if ($user->deleted_at!='')
-              <div class="col-md-12">
-                <div class="callout callout-warning">
-                  <i class="icon fas fa-exclamation-triangle"></i>
-                  {{ trans('admin/users/message.user_deleted_warning') }}
-                </div>
-              </div>
-            @endif
-
         <div class="info-stack-container">
             <!-- Start button column -->
             <div class="col-md-3 col-xs-12 col-sm-push-9 info-stack">
@@ -241,7 +232,7 @@
                 @endcan
 
                 @can('update', $user)
-                  @if (($user->activated == '1') && ($user->ldap_import == '0'))
+                  @if ((($user->deleted_at=='')) && ($user->activated == '1') && ($user->ldap_import == '0'))
                   <div class="col-md-12" style="padding-top: 5px;">
                     @if (($user->email != '') && ($user->activated=='1'))
                       <form action="{{ route('users.password',['userId'=> $user->id]) }}" method="POST">

From 66842648edf004fe48a6f524033ae37a89dc1da9 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 13:17:10 +0100
Subject: [PATCH 19/29] Removed debugging

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Providers/AuthServiceProvider.php | 36 ++++++++++++++-------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 7fa844e127..87540c4ff2 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -126,29 +126,31 @@ class AuthServiceProvider extends ServiceProvider
         Gate::define('canEditAuthFields', function ($user, $item) {
 
             if ($item instanceof User) {
-                if ($item) {
 
-                    // if they can only edit users, deny them if the user is admin or superadmin
-                    if ($user->hasAccess('users.edit')) {
-                        if ($item->isAdmin() || $item->isSuperUser()) {
-                            \Log::debug('User cannot edit admins or superusers');
-                            return false;
-                        }
+                // if they can only edit users, deny them if the user is admin or superadmin
+                if ($user->hasAccess('users.edit')) {
 
-                        return true;
-                    }
-
-                    // if they are an admin, deny them only if the user is a superadmin
-                    if ($user->hasAccess('admin')) {
-                        if ($item->isSuperUser()) {
-                            return false;
-                        }
-
-                        return true;
+                    if ($item->isAdmin() || $item->isSuperUser()) {
+                        return false;
                     }
 
+                    return true;
                 }
+
+                // if they are an admin, deny them only if the user is a superadmin
+                if ($user->hasAccess('admin')) {
+
+                    if ($item->isSuperUser()) {
+                        return false;
+                    }
+
+                    return true;
+                }
+
+                return false;
             }
+
+            return false;
         });
 
 

From 2bd68ec991ddb88f403a441fd14dc10910897693 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 13:17:25 +0100
Subject: [PATCH 20/29] Uncommented importer gate

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Importer/UserImporter.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/Importer/UserImporter.php b/app/Importer/UserImporter.php
index 6a021d2b51..31f56602d3 100644
--- a/app/Importer/UserImporter.php
+++ b/app/Importer/UserImporter.php
@@ -101,9 +101,12 @@ class UserImporter extends ItemImporter
             $this->log('Updating User');
 
             // Todo - check that this works
-//            if (!Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
-//                $user->except(['password', 'username', 'email', 'activated']);
-//            }
+            if (!Gate::allows('canEditAuthFields', $user)) {
+                unset($user->username);
+                unset($user->email);
+                unset($user->password);
+                unset($user->activated);
+            }
 
             $user->update($this->sanitizeItemForUpdating($user));
 

From c601b8e62cb2b08243c18efb338a8b222e537023 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:02:11 +0100
Subject: [PATCH 21/29] Updated test

Signed-off-by: snipe <snipe@snipe.net>
---
 tests/Feature/Users/Ui/UpdateUserTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/Feature/Users/Ui/UpdateUserTest.php b/tests/Feature/Users/Ui/UpdateUserTest.php
index 0c4578343a..982b294a47 100644
--- a/tests/Feature/Users/Ui/UpdateUserTest.php
+++ b/tests/Feature/Users/Ui/UpdateUserTest.php
@@ -293,7 +293,7 @@ class UpdateUserTest extends TestCase
         $this->assertDatabaseHas('users', [
             'id' => $id,
             'first_name' => 'test',
-            'username' => 'test',
+            'username' => $user->username,
             'company_id' => $companyB->id,
         ]);
     }

From 218606fbd66de75ddea33cbe2cb13da28a4fdd26 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:02:41 +0100
Subject: [PATCH 22/29] Updated view permissions

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/view.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/users/view.blade.php b/resources/views/users/view.blade.php
index c84acb00b2..02d62c5372 100755
--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@@ -262,7 +262,7 @@
                 @endcan
 
 
-            @can('delete', $user)
+            @can('update', $user)
                   @if ($user->deleted_at=='')
                     <div class="col-md-12" style="padding-top: 30px;">
                         @if ($user->isDeletable())

From 483301db7aa67c926d75e2b059550fb4fa09f736 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:02:59 +0100
Subject: [PATCH 23/29] Changed some of the gating logic for demo mode. Sigh.

Signed-off-by: snipe <snipe@snipe.net>
---
 resources/views/users/edit.blade.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index 486be2da19..69723a1696 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -216,10 +216,10 @@
                           <div class="col-md-9 col-md-offset-3">
 
                               <!-- disallow changes to the user's login status -->
-                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditAuthFields', $user)) || ($user->id == auth()->user()->id))
+                              @if ((!Gate::allows('canEditAuthFields', $user)) || ($user->id == auth()->user()->id) || ($user->id))
                                   <!-- demo mode - disallow changes -->
                                   <label class="form-control form-control--disabled">
-                                      <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled="disabled" aria-label="activated">
+                                      <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled aria-label="activated">
                                       {{ trans('admin/users/general.activated_help_text') }}
                                   </label>
 
@@ -231,13 +231,13 @@
                                   </p>
                                   @endcannot
 
-                                  @cannot('editableOnDemo')
+                                  @if ((auth()->user()->cannot('editableOnDemo')) && ($user->id))
                                       <!-- app is locked -->
                                       <p class="text-warning">
                                           <x-icon type="locked" />
                                           {{ trans('admin/users/table.lock_passwords') }}
                                       </p>
-                                  @endcannot
+                                  @endif
 
                                   @if ($user->id == auth()->user()->id)
                                       <!-- disallow editing activation on your own account -->

From 40e754b8c395d8b9ce707ae3d46546fa94ec05e3 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:03:22 +0100
Subject: [PATCH 24/29] Additional criteria for the canEditAuthFields gate

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Providers/AuthServiceProvider.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 87540c4ff2..114100f288 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -128,18 +128,16 @@ class AuthServiceProvider extends ServiceProvider
             if ($item instanceof User) {
 
                 // if they can only edit users, deny them if the user is admin or superadmin
-                if ($user->hasAccess('users.edit')) {
+                if (($user->hasAccess('users.edit')) && (!$user->isAdmin()) && (!$user->isAdmin())) {
 
                     if ($item->isAdmin() || $item->isSuperUser()) {
                         return false;
                     }
-
                     return true;
                 }
 
                 // if they are an admin, deny them only if the user is a superadmin
                 if ($user->hasAccess('admin')) {
-
                     if ($item->isSuperUser()) {
                         return false;
                     }

From fafd5922905bb947ca160b3d421ce1e44a091f0f Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:03:43 +0100
Subject: [PATCH 25/29] Wrap groups and activated into the other
 canEditAuthFields gate

Signed-off-by: snipe <snipe@snipe.net>
---
 .../Controllers/Users/UsersController.php     | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index 139bfa5cfa..3bb370e418 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -229,10 +229,6 @@ class UsersController extends Controller
             }
         }
 
-        // Only save groups if the user is a superuser
-        if (auth()->user()->isSuperUser()) {
-            $user->groups()->sync($request->input('groups'));
-        }
 
         // Update the user fields
 
@@ -260,6 +256,9 @@ class UsersController extends Controller
         $user->end_date = $request->input('end_date', null);
         $user->autoassign_licenses = $request->input('autoassign_licenses', 0);
 
+        // Set this here so that we can overwrite it later if the user is an admin or superadmin
+        $user->activated = $request->input('activated', auth()->user()->is($user) ? 1 : $user->activated);
+
 
         // Update the location of any assets checked out to this user
         Asset::where('assigned_type', User::class)
@@ -272,18 +271,27 @@ class UsersController extends Controller
 
             $user->username = trim($request->input('username'));
             $user->email = trim($request->input('email'));
-            $user->activated = $request->input('activated', 0);
+            $user->activated = $request->input('activated', $request->user()->is($user) ? 1 : 0);
 
             // Do we want to update the user password?
             if ($request->filled('password')) {
                 $user->password = bcrypt($request->input('password'));
             }
-        }
 
+            $permissions_array = $request->input('permission');
 
-        // if a user is editing themselves we should always keep activated true
-        if (auth()->user()->id == $user->id) {
-            $user->activated = 1;
+            // Strip out the superuser permission if the user isn't a superadmin
+            if (! auth()->user()->isSuperUser()) {
+                unset($permissions_array['superuser']);
+                $permissions_array['superuser'] = $orig_superuser;
+            }
+
+            $user->permissions = json_encode($permissions_array);
+
+            // Only save groups if the user is a superuser
+            if (auth()->user()->isSuperUser()) {
+                $user->groups()->sync($request->input('groups'));
+            }
         }
 
 
@@ -292,15 +300,9 @@ class UsersController extends Controller
             ->where('assigned_to', $user->id)
             ->update(['location_id' => $user->location_id]);
 
-        $permissions_array = $request->input('permission');
 
-        // Strip out the superuser permission if the user isn't a superadmin
-        if (! auth()->user()->isSuperUser()) {
-            unset($permissions_array['superuser']);
-            $permissions_array['superuser'] = $orig_superuser;
-        }
 
-        $user->permissions = json_encode($permissions_array);
+        \Log::error(print_r($user->permissions, true));
 
         // Handle uploaded avatar
         app(ImageUploadRequest::class)->handleImages($user, 600, 'avatar', 'avatars', 'avatar');

From f0fbb3cf364e1a6744cd68daf169fbe97f49acd0 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 16:31:31 +0100
Subject: [PATCH 26/29] Uncomment permissions test

Signed-off-by: snipe <snipe@snipe.net>
---
 tests/Feature/Users/Api/UpdateUserTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/Feature/Users/Api/UpdateUserTest.php b/tests/Feature/Users/Api/UpdateUserTest.php
index a581256dbf..362568b18c 100644
--- a/tests/Feature/Users/Api/UpdateUserTest.php
+++ b/tests/Feature/Users/Api/UpdateUserTest.php
@@ -109,7 +109,7 @@ class UpdateUserTest extends TestCase
                 'password' => 'super-secret',
                 'password_confirmation' => 'super-secret',
                 'email' => 'mabel@onlymurderspod.com',
-                //'permissions' => '{"a.new.permission":"1"}',
+                'permissions' => '{"a.new.permission":"1"}',
                 'activated' => true,
                 'phone' => '619-555-5555',
                 'jobtitle' => 'Host',
@@ -136,7 +136,7 @@ class UpdateUserTest extends TestCase
         $this->assertEquals('mabel', $user->username, 'Username was not updated');
         $this->assertTrue(Hash::check('super-secret', $user->password), 'Password was not updated');
         $this->assertEquals('mabel@onlymurderspod.com', $user->email, 'Email was not updated');
-        //$this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated');
+        $this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated');
         $this->assertTrue((bool) $user->activated, 'User not marked as activated');
         $this->assertEquals('619-555-5555', $user->phone, 'Phone was not updated');
         $this->assertEquals('Host', $user->jobtitle, 'Job title was not updated');

From 6ea5693b2feeee52edec85304436baf058dd2471 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Tue, 22 Jul 2025 13:59:58 +0100
Subject: [PATCH 27/29] Updated comment, removed log error statement

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Users/UsersController.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index 3bb370e418..e97ef4d23d 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -266,7 +266,7 @@ class UsersController extends Controller
             ->update(['location_id' => $request->input('location_id', null)]);
 
 
-        // check for permissions related fields and pull them out if the current user cannot edit them
+        // check for permissions related fields and only set them if the user has permission to edit them
         if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
 
             $user->username = trim($request->input('username'));
@@ -301,9 +301,6 @@ class UsersController extends Controller
             ->update(['location_id' => $user->location_id]);
 
 
-
-        \Log::error(print_r($user->permissions, true));
-
         // Handle uploaded avatar
         app(ImageUploadRequest::class)->handleImages($user, 600, 'avatar', 'avatars', 'avatar');
         session()->put(['redirect_option' => $request->get('redirect_option')]);

From e0232a8e841b981adfb731c21646252aa3b8c757 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Tue, 22 Jul 2025 14:02:18 +0100
Subject: [PATCH 28/29] Renamed gate

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php   | 2 +-
 app/Http/Controllers/Users/UsersController.php | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index 32f49089ed..3876bbc795 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -477,7 +477,7 @@ class UsersController extends Controller
             }
 
             // check for permissions related fields and pull them out if the current user cannot edit them
-            if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
+            if (auth()->user()->can('canEditAuthFields') && auth()->user()->can('editableOnDemo')) {
 
                 if ($request->filled('password')) {
                     $user->password = bcrypt($request->input('password'));
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index e97ef4d23d..a2cd2d876c 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -265,9 +265,8 @@ class UsersController extends Controller
             ->where('assigned_to', $user->id)
             ->update(['location_id' => $request->input('location_id', null)]);
 
-
         // check for permissions related fields and only set them if the user has permission to edit them
-        if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
+        if (auth()->user()->can('canEditAuthFields') && auth()->user()->can('editableOnDemo')) {
 
             $user->username = trim($request->input('username'));
             $user->email = trim($request->input('email'));

From a02c62d62c9bbcd980ce304735ddd4a9dffc7a34 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Tue, 22 Jul 2025 14:12:51 +0100
Subject: [PATCH 29/29] Fixed tests

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php   | 2 +-
 app/Http/Controllers/Users/UsersController.php | 2 +-
 tests/Feature/Users/Ui/UpdateUserTest.php      | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index 3876bbc795..4d50af6697 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -477,7 +477,7 @@ class UsersController extends Controller
             }
 
             // check for permissions related fields and pull them out if the current user cannot edit them
-            if (auth()->user()->can('canEditAuthFields') && auth()->user()->can('editableOnDemo')) {
+            if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {
 
                 if ($request->filled('password')) {
                     $user->password = bcrypt($request->input('password'));
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index a2cd2d876c..8221fc4bd8 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -266,7 +266,7 @@ class UsersController extends Controller
             ->update(['location_id' => $request->input('location_id', null)]);
 
         // check for permissions related fields and only set them if the user has permission to edit them
-        if (auth()->user()->can('canEditAuthFields') && auth()->user()->can('editableOnDemo')) {
+        if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {
 
             $user->username = trim($request->input('username'));
             $user->email = trim($request->input('email'));
diff --git a/tests/Feature/Users/Ui/UpdateUserTest.php b/tests/Feature/Users/Ui/UpdateUserTest.php
index 982b294a47..723ce5df2e 100644
--- a/tests/Feature/Users/Ui/UpdateUserTest.php
+++ b/tests/Feature/Users/Ui/UpdateUserTest.php
@@ -278,7 +278,7 @@ class UpdateUserTest extends TestCase
         $user->delete();
 
         $response = $this->actingAs(User::factory()->editUsers()->create())
-            ->put(route('users.update', $id), [
+            ->put(route('users.update', $user), [
                 'first_name' => 'test',
                 'username' => 'test',
                 'company_id' => $companyB->id,
@@ -293,7 +293,7 @@ class UpdateUserTest extends TestCase
         $this->assertDatabaseHas('users', [
             'id' => $id,
             'first_name' => 'test',
-            'username' => $user->username,
+            'username' => 'test',
             'company_id' => $companyB->id,
         ]);
     }