mirror/snipe-it
3
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2026-03-30 04:14:17 +00:00
Code Issues Projects Releases Wiki Activity

Adds permission checks for custom fields and custom fieldsets (#5645) (#5795)

Browse Source 
* adds permission checks to custom fields

* adds permission checks to custom fieldsets

* adds separate permissions for custom fieldsets

* check for permissions in views

* Removes custom fieldsets from permissions config

* Proxy the authorization for custom fieldsets down to custom fields.

This allows us to use the existing permissions in use and have more semantically correct authorization checks for custom fieldsets.

* simplifies the authorization check for the custom fields overview

* removes special handling of custom fieldsets in base policy

I just realised that this code duplicates the logic from the custom fieldset policy.
Since we are checking for the authorization of custom fields anyway, we can just use the columnName for the fields.

* cleanup of unused imports
This commit is contained in:
Till Deeke
2018-07-13 03:28:20 +02:00
committed by snipe
parent 48bbbe0f40
commit 27699aa99c
8 changed files with 80 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Controllers/CustomFieldsetsController.php
View File

@ -38,6 +38,8 @@ class CustomFieldsetsController extends Controller
{
$cfset = CustomFieldset::with('fields')->where('id', '=', $id)->orderBy('id', 'ASC')->first();
$this->authorize('view', $cfset);
if ($cfset) {
$custom_fields_list = ["" => "Add New Field to Fieldset"] + CustomField::pluck("name", "id")->toArray();
@ -68,6 +70,8 @@ class CustomFieldsetsController extends Controller
*/
public function create()
{
$this->authorize('create', CustomFieldset::class);
return view("custom_fields.fieldsets.edit");
}
@ -81,6 +85,8 @@ class CustomFieldsetsController extends Controller
*/
public function store(Request $request)
{
$this->authorize('create', CustomFieldset::class);
$cfset = new CustomFieldset(
[
"name" => e($request->get("name")),
@ -141,6 +147,8 @@ class CustomFieldsetsController extends Controller
{
$fieldset = CustomFieldset::find($id);
$this->authorize('delete', $fieldset);
if ($fieldset) {
$models = AssetModel::where("fieldset_id", "=", $id);
if ($models->count() == 0) {
@ -169,6 +177,8 @@ class CustomFieldsetsController extends Controller
$set = CustomFieldset::find($id);
$this->authorize('update', $set);
foreach ($set->fields as $field) {
if ($field->id == Input::get('field_id')) {
return redirect()->route("fieldsets.show", [$id])->withInput()->withErrors(['field_id' => trans('admin/custom_fields/message.field.already_added')]);