Fixing authorization issues (#5807)
* adds permission checks for companies * adds permission checks for depreciations * adds permission check for all reports * fixes permissions for departments * fixes permission naming (edit -> update) * fixes authorization checking wrong permission in API The authorization was checking for the non-existent „edit“ method where it should have checked for the „update“ method. * adds authorization checks for select2 lists * adds missing authorization checks for api * fixes user authorization check for creating users * adds additional check viewing assets on showing a users assets * Removes authorization checks for select2 lists Reference: https://github.com/snipe/snipe-it/pull/5807#pullrequestreview-136018755
This commit is contained in:
@@ -101,7 +101,7 @@ class StatuslabelsController extends Controller
|
||||
*/
|
||||
public function update(Request $request, $id)
|
||||
{
|
||||
$this->authorize('edit', Statuslabel::class);
|
||||
$this->authorize('update', Statuslabel::class);
|
||||
$statuslabel = Statuslabel::findOrFail($id);
|
||||
|
||||
$request->except('deployable', 'pending','archived');
|
||||
@@ -160,6 +160,7 @@ class StatuslabelsController extends Controller
|
||||
|
||||
public function getAssetCountByStatuslabel()
|
||||
{
|
||||
$this->authorize('view', Statuslabel::class);
|
||||
|
||||
$statuslabels = Statuslabel::with('assets')->groupBy('id')->withCount('assets')->get();
|
||||
|
||||
@@ -237,6 +238,9 @@ class StatuslabelsController extends Controller
|
||||
*/
|
||||
public function checkIfDeployable($id) {
|
||||
$statuslabel = Statuslabel::findOrFail($id);
|
||||
|
||||
$this->authorize('view', $statuslabel);
|
||||
|
||||
if ($statuslabel->getStatuslabelType()=='deployable') {
|
||||
return '1';
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user