From e639d7726b0669e22503e302084dfb345e84572b Mon Sep 17 00:00:00 2001
From: Marcus Moore <contact@marcusmoore.io>
Date: Wed, 17 Sep 2025 14:32:27 -0700
Subject: [PATCH] Disallow bulk checkout across companies

---
 .../Controllers/Assets/BulkAssetsController.php   | 15 +++++++++++++++
 .../Checkouts/Ui/BulkAssetCheckoutTest.php        |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Assets/BulkAssetsController.php b/app/Http/Controllers/Assets/BulkAssetsController.php
index 6c75ae06db..90e306d8c3 100644
--- a/app/Http/Controllers/Assets/BulkAssetsController.php
+++ b/app/Http/Controllers/Assets/BulkAssetsController.php
@@ -647,6 +647,21 @@ class BulkAssetsController extends Controller
 
             $assets = Asset::findOrFail($asset_ids);
 
+            if (Setting::getSettings()->full_multiple_companies_support && $target->company_id) {
+                $company_ids = $assets->pluck('company_id')->unique();
+
+                // if there is more than one unique company id or the singular company id does not match
+                // then the checkout is invalid
+                if ($company_ids->count() > 1 || $company_ids->first() != $target->company_id) {
+                    // keep the session data around for the redirect so the assets select is re-populated
+                    session()->reflash();
+
+                    return redirect(route('hardware.bulkcheckout.show'))
+                        // @todo: improve message and translate
+                        ->with('error', 'One or more of the assets has a company mismatch.');
+                }
+            }
+
             if (request('checkout_to_type') == 'asset') {
                 foreach ($asset_ids as $asset_id) {
                     if ($target->id == $asset_id) {
diff --git a/tests/Feature/Checkouts/Ui/BulkAssetCheckoutTest.php b/tests/Feature/Checkouts/Ui/BulkAssetCheckoutTest.php
index 8d90e15b5a..b28e38f018 100644
--- a/tests/Feature/Checkouts/Ui/BulkAssetCheckoutTest.php
+++ b/tests/Feature/Checkouts/Ui/BulkAssetCheckoutTest.php
@@ -121,8 +121,8 @@ class BulkAssetCheckoutTest extends TestCase
                 ],
                 'checkout_to_type' => 'user',
                 'assigned_user' => $userInCompanyA->id,
-            ]);
-        // @todo: assert session has error message and redirect back
+            ])
+            ->assertRedirectToRoute('hardware.bulkcheckout.show');
 
         // ensure bulk checkout is blocked
         $this->assertNull($assetForCompanyA->fresh()->assigned_to, 'Asset was checked out across companies.');