ouyang/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup controller escaping (#3084)

Browse Source 
* Make delete routes work.  We put a little form in the modal that spoofs the delete field.

* Fix route on creating a user.

* Fix redundant id parameter.

* Port acceptance tests to new urls.

* Initial work on migrating to model based policies instead of global gates.  Will allow for much more detailed permissions bits in the future.

* This needs to stay for the dashboard checks.

* Add user states for permissions to build tests.

* Build up unit tests for gates/permissions.  Move accessories/consumables/assets to policies instead of in authserviceprovider

* Migrate various locations to new syntax.  Update test to be more specific

* Fix functional tests.

Add an artisan command for installing a settings setup on travis-ci

* Try a different id... Need to come up with a better way of passing the id for tests that need an existing one.

* Try to fix travis

* Update urls to use routes and not hardcode old paths.  Also fix some migration errors found along the way.:

* Add a environment for travis functional tests.

* Adjust config file to make travis use it.

* Use redirect()->route instead of redirect()-to

* Dump all failures in the output directory if travis fails.

* Cleanups and minor fixes.

* Adjust the supplier modelfactory to comply with new validation restrictions.

* Some test fixes.

* Locales can be longer than 5 characters according to faker... fex gez_ET.  Increase lenght in mysql and add a validation

* Update test database dump to latest migrations.

* Extend Supplier phone/fax length.

This catches issues found in testing with a phone number with a five digit extension.  fex (356) 654-3024 x36632

Also move away from escaping all values put into eloquent.  Eloquent
already uses PDO parameter binding, and this was leading to names like
Mr Ryan O'Malley turning into an html escaped version of that name when
stored.  All values should be escaped when using {{}}, we'll just have
to be more cautious when we use {!!, but I think we already are?

* Remove additional escaping here, like we did in suppliers controller.

* No need to eager load all of these relationships when we can call the count on the querybuilder directly

* Work on controller cleanup

* Always start from scrach, catches more issues this way.

* Update sql dump.  Remove old code from permissions test.

* Generate a deletable item on demand in the test, rather than relying on one existing.  I think we should probably move to mock all the database stuff at some point..

* More travis related fixes

* Break script into multiple functional lines

* Update all controllers to use the new helper, also cleanup syntax and docblocks along the way.
This commit is contained in:
Daniel Meltzer
2016-12-20 00:00:50 -06:00
committed by snipe
parent cd8c585377
commit 323c3807fa
32 changed files with 1717 additions and 2284 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/ComponentsController.php
+75 -107
View File
@@ -11,6 +11,7 @@ use App\Models\Asset;
use Auth;
use Config;
use DB;
use DeepCopyTest\H;
use Input;
use Lang;
use Mail;
@@ -37,7 +38,7 @@ class ComponentsController extends Controller
* @author [A. Gianotto] [<snipe@snipe.net>]
* @see ComponentsController::getDatatable() method that generates the JSON response
* @since [v3.0]
* @return View
* @return \Illuminate\Contracts\View\View
*/
public function index()
{
@@ -52,21 +53,17 @@ class ComponentsController extends Controller
* @author [A. Gianotto] [<snipe@snipe.net>]
* @see ComponentsController::postCreate() method that stores the data
* @since [v3.0]
* @return View
* @return \Illuminate\Contracts\View\View
*/
public function create()
{
$this->authorize('create', Component::class);
// Show the page
$category_list = Helper::categoryList('component');
$company_list = Helper::companyList();
$location_list = Helper::locationsList();
return View::make('components/edit')
->with('item', new Component)
->with('category_list', $category_list)
->with('company_list', $company_list)
->with('location_list', $location_list);
->with('category_list', Helper::categoryList('component'))
->with('company_list', Helper::companyList())
->with('location_list', Helper::locationsList());
}
@@ -76,8 +73,8 @@ class ComponentsController extends Controller
* @author [A. Gianotto] [<snipe@snipe.net>]
* @see ComponentsController::getCreate() method that generates the view
* @since [v3.0]
* @return Redirect
*/
* @return \Illuminate\Http\RedirectResponse
*/
public function store()
{
$this->authorize('create', Component::class);
@@ -85,28 +82,28 @@ class ComponentsController extends Controller
$component = new Component();
// Update the component data
$component->name = e(Input::get('name'));
$component->category_id = e(Input::get('category_id'));
$component->location_id = e(Input::get('location_id'));
$component->name = Input::get('name');
$component->category_id = Input::get('category_id');
$component->location_id = Input::get('location_id');
$component->company_id = Company::getIdForCurrentUser(Input::get('company_id'));
$component->order_number = e(Input::get('order_number'));
$component->min_amt = e(Input::get('min_amt'));
$component->serial = e(Input::get('serial'));
$component->order_number = Input::get('order_number');
$component->min_amt = Input::get('min_amt');
$component->serial = Input::get('serial');
if (e(Input::get('purchase_date')) == '') {
if (Input::get('purchase_date') == '') {
$component->purchase_date = null;
} else {
$component->purchase_date = e(Input::get('purchase_date'));
$component->purchase_date = Input::get('purchase_date');
}
if (e(Input::get('purchase_cost')) == '0.00') {
if (Input::get('purchase_cost') == '0.00') {
$component->purchase_cost = null;
} else {
$component->purchase_cost = Helper::ParseFloat(e(Input::get('purchase_cost')));
$component->purchase_cost = Helper::ParseFloat(Input::get('purchase_cost'));
}
$component->qty = e(Input::get('qty'));
$component->user_id = Auth::user()->id;
$component->qty = Input::get('qty');
$component->user_id = Auth::id();
// Was the component created?
if ($component->save()) {
@@ -114,10 +111,7 @@ class ComponentsController extends Controller
// Redirect to the new component page
return redirect()->route('components.index')->with('success', trans('admin/components/message.create.success'));
}
return redirect()->back()->withInput()->withErrors($component->getErrors());
}
/**
@@ -127,8 +121,8 @@ class ComponentsController extends Controller
* @see ComponentsController::postEdit() method that stores the data.
* @since [v3.0]
* @param int $componentId
* @return View
*/
* @return \Illuminate\Contracts\View\View
*/
public function edit($componentId = null)
{
// Check if the component exists
@@ -139,14 +133,10 @@ class ComponentsController extends Controller
$this->authorize('update', $item);
$category_list = Helper::categoryList('component');
$company_list = Helper::companyList();
$location_list = Helper::locationsList();
return View::make('components/edit', compact('item'))
->with('category_list', $category_list)
->with('company_list', $company_list)
->with('location_list', $location_list);
->with('category_list', Helper::categoryList('component'))
->with('company_list', Helper::companyList())
->with('location_list', Helper::locationsList());
}
@@ -157,8 +147,8 @@ class ComponentsController extends Controller
* @see ComponentsController::getEdit() method presents the form.
* @param int $componentId
* @since [v3.0]
* @return Redirect
*/
* @return \Illuminate\Http\RedirectResponse
*/
public function update($componentId = null)
{
// Check if the blog post exists
@@ -171,34 +161,32 @@ class ComponentsController extends Controller
// Update the component data
$component->name = e(Input::get('name'));
$component->category_id = e(Input::get('category_id'));
$component->location_id = e(Input::get('location_id'));
$component->name = Input::get('name');
$component->category_id = Input::get('category_id');
$component->location_id = Input::get('location_id');
$component->company_id = Company::getIdForCurrentUser(Input::get('company_id'));
$component->order_number = e(Input::get('order_number'));
$component->min_amt = e(Input::get('min_amt'));
$component->serial = e(Input::get('serial'));
$component->order_number = Input::get('order_number');
$component->min_amt = Input::get('min_amt');
$component->serial = Input::get('serial');
if (e(Input::get('purchase_date')) == '') {
if (Input::get('purchase_date') == '') {
$component->purchase_date = null;
} else {
$component->purchase_date = e(Input::get('purchase_date'));
$component->purchase_date = Input::get('purchase_date');
}
if (e(Input::get('purchase_cost')) == '0.00') {
if (Input::get('purchase_cost') == '0.00') {
$component->purchase_cost = null;
} else {
$component->purchase_cost = Helper::ParseFloat(e(Input::get('purchase_cost')));
$component->purchase_cost = Helper::ParseFloat(Input::get('purchase_cost'));
}
$component->qty = e(Input::get('qty'));
$component->qty = Input::get('qty');
if ($component->save()) {
return redirect()->route('components.index')->with('success', trans('admin/components/message.update.success'));
}
return redirect()->back()->withInput()->withErrors($component->getErrors());
}
/**
@@ -207,8 +195,8 @@ class ComponentsController extends Controller
* @author [A. Gianotto] [<snipe@snipe.net>]
* @since [v3.0]
* @param int $componentId
* @return Redirect
*/
* @return \Illuminate\Http\RedirectResponse
*/
public function destroy($componentId)
{
if (is_null($component = Component::find($componentId))) {
@@ -216,10 +204,8 @@ class ComponentsController extends Controller
}
$this->authorize('delete', $component);
$component->delete();
return redirect()->route('components.index')->with('success', trans('admin/components/message.delete.success'));
}
public function postBulk($componentId = null)
@@ -242,25 +228,20 @@ class ComponentsController extends Controller
* @see ComponentsController::getDataView() method that generates the JSON response
* @since [v3.0]
* @param int $componentId
* @return View
*/
* @return \Illuminate\Contracts\View\View
*/
public function show($componentId = null)
{
$component = Component::find($componentId);
if (isset($component->id)) {
$this->authorize('view', $component);
return View::make('components/view', compact('component'));
}
// Prepare the error message
$error = trans('admin/components/message.does_not_exist', compact('id'));
// Redirect to the user management page
return redirect()->route('components')->with('error', $error);
}
/**
@@ -270,8 +251,8 @@ class ComponentsController extends Controller
* @see ComponentsController::postCheckout() method that stores the data.
* @since [v3.0]
* @param int $componentId
* @return View
*/
* @return \Illuminate\Contracts\View\View
*/
public function getCheckout($componentId)
{
// Check if the component exists
@@ -279,25 +260,20 @@ class ComponentsController extends Controller
// Redirect to the component management page with error
return redirect()->route('components.index')->with('error', trans('admin/components/message.not_found'));
}
$this->authorize('checkout', $component);
// Get the dropdown of assets and then pass it to the checkout view
$assets_list = Helper::detailedAssetList();
return View::make('components/checkout', compact('component'))->with('assets_list', $assets_list);
return View::make('components/checkout', compact('component'))->with('assets_list', Helper::detailedAssetList());
}
/**
* Validate and store checkout data.
*
* @author [A. Gianotto] [<snipe@snipe.net>]
* @see ComponentsController::getCheckout() method that returns the form.
* @since [v3.0]
* @param int $componentId
* @return Redirect
*/
* Validate and store checkout data.
*
* @author [A. Gianotto] [<snipe@snipe.net>]
* @see ComponentsController::getCheckout() method that returns the form.
* @since [v3.0]
* @param Request $request
* @param int $componentId
* @return \Illuminate\Http\RedirectResponse
*/
public function postCheckout(Request $request, $componentId)
{
// Check if the component exists
@@ -332,12 +308,13 @@ class ComponentsController extends Controller
// Update the component data
$component->asset_id = $asset_id;
$component->assets()->attach($component->id, array(
'component_id' => $component->id,
'user_id' => $admin_user->id,
'created_at' => date('Y-m-d H:i:s'),
'assigned_qty' => e(Input::get('assigned_qty')),
'asset_id' => $asset_id));
$component->assets()->attach($component->id, [
'component_id' => $component->id,
'user_id' => $admin_user->id,
'created_at' => date('Y-m-d H:i:s'),
'assigned_qty' => Input::get('assigned_qty'),
'asset_id' => $asset_id
]);
$logaction = $component->logCheckout(e(Input::get('note')), $asset_id);
@@ -377,9 +354,6 @@ class ComponentsController extends Controller
}
return redirect()->route('components.index')->with('success', trans('admin/components/message.checkout.success'));
}
@@ -402,17 +376,8 @@ class ComponentsController extends Controller
$components = $components->TextSearch(Input::get('search'));
}
if (Input::has('offset')) {
$offset = e(Input::get('offset'));
} else {
$offset = 0;
}
if (Input::has('limit')) {
$limit = e(Input::get('limit'));
} else {
$limit = 50;
}
$offset = request('offset', 0);
$limit = request('limit', 50);
$allowed_columns = ['id','name','min_amt','order_number','serial','purchase_date','purchase_cost','companyName','category','total_qty'];
$order = Input::get('order') === 'asc' ? 'asc' : 'desc';
@@ -433,7 +398,7 @@ class ComponentsController extends Controller
break;
}
$consumCount = $components->count();
$componentsCount = $components->count();
$components = $components->skip($offset)->take($limit)->get();
$rows = array();
@@ -441,18 +406,21 @@ class ComponentsController extends Controller
foreach ($components as $component) {
$actions = '<nobr>';
if (Gate::allows('checkout', $component)) {
$actions .= '<a href="' . route('checkout/component',
$component->id) . '" style="margin-right:5px;" class="btn btn-info btn-sm ' . (($component->numRemaining() > 0) ? '' : ' disabled') . '" ' . (($component->numRemaining() > 0) ? '' : ' disabled') . '>' . trans('general.checkout') . '</a>';
$actions .= Helper::generateDatatableButton('checkout', route('checkout/component', $component->id), $component->numRemaining() > 0);
}
if (Gate::allows('edit', $component)) {
$actions .= '<a href="' . route('components.edit',
$component->id) . '" class="btn btn-warning btn-sm" style="margin-right:5px;"><i class="fa fa-pencil icon-white"></i></a>';
if (Gate::allows('update', $component)) {
$actions .= Helper::generateDatatableButton('edit', route('components.edit', $component->id));
}
if (Gate::allows('delete', $component)) {
$actions .= '<a data-html="false" class="btn delete-asset btn-danger btn-sm" data-toggle="modal" href="' . route('components.destroy',
$component->id) . '" data-content="' . trans('admin/components/message.delete.confirm') . '" data-title="' . trans('general.delete') . ' ' . htmlspecialchars($component->name) . '?" onClick="return false;"><i class="fa fa-trash icon-white"></i></a>';
$actions .= Helper::generateDatatableButton(
'delete',
route('components.destroy', $component->id),
true, /* enabled */
trans('admin/components/message.delete.confirm'),
$component->name
);
}
$actions .='</nobr>';
@@ -476,7 +444,7 @@ class ComponentsController extends Controller
);
}
$data = array('total' => $consumCount, 'rows' => $rows);
$data = array('total' => $componentsCount, 'rows' => $rows);
return $data;