Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First fix for user FMCS scoping #14591

Merged
merged 21 commits into from
Apr 17, 2024
Merged

First fix for user FMCS scoping #14591

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
adacdc0
Apply company scoping for users
snipe Apr 10, 2024
989dab6
Moved company scoping methods to group them together
snipe Apr 10, 2024
5829b02
Added translation
snipe Apr 11, 2024
570944a
Updated translation
snipe Apr 11, 2024
a19b86a
Re-ordered scoping for admins, added comments
snipe Apr 11, 2024
f54a94b
Refactorered methods
snipe Apr 11, 2024
460693c
Added comment
snipe Apr 11, 2024
24e87cc
Updated comment
snipe Apr 11, 2024
ed0a441
Refactor destroy method
snipe Apr 11, 2024
710370a
Added scoping for destroy
snipe Apr 11, 2024
0d23d28
Added comments
snipe Apr 11, 2024
c604f08
Small tweaks for troubleshooting :(
snipe Apr 11, 2024
ab3b5ca
Fixed tests
snipe Apr 17, 2024
5e8c129
Revert accidental commit
snipe Apr 17, 2024
86e274f
Added API tests
snipe Apr 17, 2024
c211426
Added strings
snipe Apr 17, 2024
65dd729
Additional gates
snipe Apr 17, 2024
9bb15aa
Added individual gates to keep response consistent with other company…
snipe Apr 17, 2024
4450351
Only sync groups if API user is superadmin
snipe Apr 17, 2024
0fc9fc7
Minor updates to tests
snipe Apr 17, 2024
4c02a63
Removed activated attribute on test users
snipe Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 59 additions & 24 deletions app/Http/Controllers/Api/UsersController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,7 @@ public function index(Request $request)
$users = $users->withTrashed();
}

// Apply companyable scope
$users = Company::scopeCompanyables($users);


Expand Down Expand Up @@ -403,7 +404,10 @@ public function store(SaveUserRequest $request)
public function show($id)
{
$this->authorize('view', User::class);

$user = User::withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count')->findOrFail($id);
$user = Company::scopeCompanyables($user)->find($id);
$this->authorize('update', $user);

return (new UsersTransformer)->transformUser($user);
}
Expand All @@ -423,6 +427,8 @@ public function update(SaveUserRequest $request, $id)
$this->authorize('update', User::class);

$user = User::findOrFail($id);
$user = Company::scopeCompanyables($user)->find($id);
$this->authorize('update', $user);

/**
* This is a janky hack to prevent people from changing admin demo user data on the public demo.
Expand Down Expand Up @@ -459,6 +465,7 @@ public function update(SaveUserRequest $request, $id)
if (! Auth::user()->isSuperUser()) {
unset($permissions_array['superuser']);
}

$user->permissions = $permissions_array;
}

Expand All @@ -481,17 +488,27 @@ public function update(SaveUserRequest $request, $id)

// Check if the request has groups passed and has a value
if ($request->filled('groups')) {

$validator = Validator::make($request->all(), [
'groups.*' => 'integer|exists:permission_groups,id',
]);

if ($validator->fails()){
return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
}
$user->groups()->sync($request->input('groups'));

// Only save groups if the user is a superuser
if (Auth::user()->isSuperUser()) {
$user->groups()->sync($request->input('groups'));
}

// The groups field has been passed but it is null, so we should blank it out
} elseif ($request->has('groups')) {
$user->groups()->sync([]);

// Only save groups if the user is a superuser
if (Auth::user()->isSuperUser()) {
$user->groups()->sync($request->input('groups'));
}
}


Expand All @@ -512,37 +529,43 @@ public function update(SaveUserRequest $request, $id)
public function destroy($id)
{
$this->authorize('delete', User::class);
$user = User::findOrFail($id);
$user = User::with('assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc')->withTrashed();
$user = Company::scopeCompanyables($user)->find($id);
$this->authorize('delete', $user);

if (($user->assets) && ($user->assets->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.error.delete_has_assets')));
}
if ($user) {

if (($user->licenses) && ($user->licenses->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has '.$user->licenses->count().' license(s) associated with them and cannot be deleted.'));
}
$this->authorize('delete', $user);

if (($user->assets) && ($user->assets->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.error.delete_has_assets')));
}

if (($user->accessories) && ($user->accessories->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has '.$user->accessories->count().' accessories associated with them.'));
}
if (($user->licenses) && ($user->licenses->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has ' . $user->licenses->count() . ' license(s) associated with them and cannot be deleted.'));
}

if (($user->managedLocations()) && ($user->managedLocations()->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has '.$user->managedLocations()->count().' locations that they manage.'));
}
if (($user->accessories) && ($user->accessories->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has ' . $user->accessories->count() . ' accessories associated with them.'));
}

if ($user->delete()) {
if (($user->managedLocations()) && ($user->managedLocations()->count() > 0)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'This user still has ' . $user->managedLocations()->count() . ' locations that they manage.'));
}

// Remove the user's avatar if they have one
if (Storage::disk('public')->exists('avatars/'.$user->avatar)) {
try {
Storage::disk('public')->delete('avatars/'.$user->avatar);
} catch (\Exception $e) {
\Log::debug($e);
if ($user->delete()) {

// Remove the user's avatar if they have one
if (Storage::disk('public')->exists('avatars/' . $user->avatar)) {
try {
Storage::disk('public')->delete('avatars/' . $user->avatar);
} catch (\Exception $e) {
\Log::debug($e);
}
}
}

return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/users/message.success.delete')));
return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/users/message.success.delete')));
}
}

return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.error.delete')));
Expand All @@ -560,6 +583,11 @@ public function assets(Request $request, $id)
{
$this->authorize('view', User::class);
$this->authorize('view', Asset::class);

$user = User::with('assets', 'assets.model', 'consumables', 'accessories', 'licenses', 'userloc')->withTrashed();
$user = Company::scopeCompanyables($user)->find($id);
$this->authorize('view', $user);

$assets = Asset::where('assigned_to', '=', $id)->where('assigned_type', '=', User::class)->with('model');


Expand Down Expand Up @@ -595,7 +623,10 @@ public function assets(Request $request, $id)
*/
public function emailAssetList(Request $request, $id)
{
$this->authorize('update', User::class);
$user = User::findOrFail($id);
$user = Company::scopeCompanyables($user)->find($id);
$this->authorize('update', $user);

if (empty($user->email)) {
return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.inventorynotification.error')));
Expand All @@ -619,6 +650,7 @@ public function consumables(Request $request, $id)
$this->authorize('view', User::class);
$this->authorize('view', Consumable::class);
$user = User::findOrFail($id);
$this->authorize('update', $user);
$consumables = $user->consumables;
return (new ConsumablesTransformer)->transformConsumables($consumables, $consumables->count(), $request);
}
Expand All @@ -635,6 +667,7 @@ public function accessories($id)
{
$this->authorize('view', User::class);
$user = User::findOrFail($id);
$this->authorize('view', $user);
$this->authorize('view', Accessory::class);
$accessories = $user->accessories;

Expand All @@ -655,6 +688,7 @@ public function licenses($id)
$this->authorize('view', License::class);

if ($user = User::where('id', $id)->withTrashed()->first()) {
$this->authorize('update', $user);
$licenses = $user->licenses()->get();
return (new LicensesTransformer())->transformLicenses($licenses, $licenses->count());
}
Expand All @@ -678,6 +712,7 @@ public function postTwoFactorReset(Request $request)
if ($request->filled('id')) {
try {
$user = User::find($request->get('id'));
$this->authorize('update', $user);
$user->two_factor_secret = null;
$user->two_factor_enrolled = 0;
$user->saveQuietly();
Expand Down
Loading
Loading