From ca4d3f6bce993e1f4fdef876d0cb880d9cbbfb25 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 18 Jul 2025 12:45:32 +0100
Subject: [PATCH] Changed gate name, removed debugging

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/Api/UsersController.php  |  9 ++-
 .../Controllers/Users/UsersController.php     | 13 +---
 app/Providers/AuthServiceProvider.php         | 14 ++--
 resources/views/users/edit.blade.php          | 77 +++++++++++--------
 4 files changed, 60 insertions(+), 53 deletions(-)

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
index e2c74db3d1..32f49089ed 100644
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -476,7 +476,8 @@ class UsersController extends Controller
                 return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
             }
 
-            if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
+            // check for permissions related fields and pull them out if the current user cannot edit them
+            if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
 
                 if ($request->filled('password')) {
                     $user->password = bcrypt($request->input('password'));
@@ -487,7 +488,11 @@ class UsersController extends Controller
                 }
 
                 if ($request->filled('email')) {
-                    $user->username = $request->input('username');
+                    $user->email = $request->input('email');
+                }
+
+                if ($request->filled('activated')) {
+                    $user->activated = $request->input('activated');
                 }
 
             }
diff --git a/app/Http/Controllers/Users/UsersController.php b/app/Http/Controllers/Users/UsersController.php
index ef28f6a497..139bfa5cfa 100755
--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -13,17 +13,10 @@ use App\Models\Company;
 use App\Models\Group;
 use App\Models\Setting;
 use App\Models\User;
-use Illuminate\Support\Facades\Auth;
-use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Password;
-use Illuminate\Support\Facades\Storage;
-use Redirect;
-use Str;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 use App\Notifications\CurrentInventory;
-use Illuminate\Support\Facades\Gate;
 
 /**
  * This controller handles all actions related to Users for
@@ -130,7 +123,7 @@ class UsersController extends Controller
         }
         $user->permissions = json_encode($permissions_array);
 
-        // we have to invoke the
+        // we have to invoke the form request here to handle image uploads
         app(ImageUploadRequest::class)->handleImages($user, 600, 'avatar', 'avatars', 'avatar');
 
         session()->put(['redirect_option' => $request->get('redirect_option')]);
@@ -275,9 +268,8 @@ class UsersController extends Controller
 
 
         // check for permissions related fields and pull them out if the current user cannot edit them
-        if (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) {
+        if (auth()->user()->can('editSensitiveUserFields') && auth()->user()->can('editableOnDemo')) {
 
-            \Log::debug('Current user can edit these fields');
             $user->username = trim($request->input('username'));
             $user->email = trim($request->input('email'));
             $user->activated = $request->input('activated', 0);
@@ -291,7 +283,6 @@ class UsersController extends Controller
 
         // if a user is editing themselves we should always keep activated true
         if (auth()->user()->id == $user->id) {
-            \Log::debug('User is editing themselves');
             $user->activated = 1;
         }
 
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 5288a892d0..7fa844e127 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -101,7 +101,13 @@ class AuthServiceProvider extends ServiceProvider
          * This is where we set the superadmin permission to allow superadmins to be able to do everything within the system.
          *
          */
-        Gate::before(function ($user) {
+        Gate::before(function ($user, $ability) {
+
+            // Disallow even superadmins to edit non-editable things when in demo mode.
+            // (We have to do this to prevent jerks from trying to break the demo by editing things they shouldn't.)
+            if (($ability == 'editableOnDemo') && (config('app.lock_passwords'))) {
+                return false;
+            }
             if ($user->isSuperUser()) {
                 return true;
             }
@@ -117,14 +123,13 @@ class AuthServiceProvider extends ServiceProvider
          * use in our controllers to determine if a user has access to a certain area.
          */
 
-        Gate::define('canEditSensitiveFieldsForCurrentUser', function ($user, $item) {
+        Gate::define('canEditAuthFields', function ($user, $item) {
 
             if ($item instanceof User) {
                 if ($item) {
 
                     // if they can only edit users, deny them if the user is admin or superadmin
                     if ($user->hasAccess('users.edit')) {
-                        \Log::debug('User can edit users');
                         if ($item->isAdmin() || $item->isSuperUser()) {
                             \Log::debug('User cannot edit admins or superusers');
                             return false;
@@ -135,9 +140,7 @@ class AuthServiceProvider extends ServiceProvider
 
                     // if they are an admin, deny them only if the user is a superadmin
                     if ($user->hasAccess('admin')) {
-                        \Log::debug('User is an admin');
                         if ($item->isSuperUser()) {
-                            \Log::debug('User cannot edit superuser');
                             return false;
                         }
 
@@ -154,7 +157,6 @@ class AuthServiceProvider extends ServiceProvider
          */
         Gate::define('editableOnDemo', function () {
             if (config('app.lock_passwords')) {
-                \Log::debug('We are in demo mode');
                 return false;
             }
             return true;
diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index cc58fbc9e8..486be2da19 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -101,12 +101,12 @@
                   </label>
 
                   <div class="col-md-6">
-
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
-
+                      <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
+                    <!-- if the user is not managed by LDAP, or this is a clone operation, allow editing of the username -->
                           @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone'))
-                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{  (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}">
+                              <input class="form-control" type="text" name="username" id="username" value="{{ old('username', $user->username) }}" autocomplete="off" maxlength="191" {{ (Helper::checkIfRequired($user, 'username')) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo')) && ($user->id)) ? ' disabled' : '' }}>
                           @else
+
                               <!-- insert the old username so we don't break validation -->
                               <p class="help-block">
                                   <x-icon type="locked" />
@@ -115,13 +115,12 @@
                               <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
                           @endif
 
-                      @else
+                         @cannot('canEditAuthFields', $user)
                           <p class="help-block">
-                              <input type="hidden" name="username" value="{{ old('username', $user->username) }}">
                               <x-icon type="locked" />
                               {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.username')]) }}
                           </p>
-                      @endcan
+                      @endcannot
                   </div> <!--/col-md-6-->
 
 
@@ -151,9 +150,8 @@
                   </label>
 
                   <div class="col-md-6">
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         @if ($user->ldap_import!='1' || str_contains(Route::currentRouteName(), 'clone') )
-                          <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '' }}>
+                          <input type="password" name="password" class="form-control" id="password" value="" maxlength="500" autocomplete="off" onfocus="this.removeAttribute('readonly');" readonly {{  ((Helper::checkIfRequired($user, 'password')) && (!$user->id)) ? ' required' : '' }}{{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo') && ($user->id))) ? ' disabled' : '' }}>
                               <span id="generated-password"></span>
                               {!! $errors->first('password', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                         @else
@@ -161,13 +159,13 @@
                               {{ trans('general.managed_ldap') }}
                               </p>
                         @endif
-                      @else
+
+                      @cannot('canEditAuthFields', $user)
                           <p class="help-block">
                               <x-icon type="locked" />
                               {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
                           </p>
-
-                    @endcan
+                      @endcan
 
                       @if (!Gate::allows('editableOnDemo') && ($user->id))
                           <p class="text-warning">
@@ -180,20 +178,27 @@
 
                   <div class="col-md-2">
 
-                    @if (Gate::allows('editableOnDemo') && (Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && ($user->ldap_import!='1'))
+                    @if (Gate::allows('editableOnDemo') && (Gate::allows('canEditAuthFields', $user)) && ($user->ldap_import!='1'))
                       <a href="#" class="left" id="genPassword">{{ trans('general.generate') }}</a>
                     @endif
                   </div>
                 </div>
 
-                @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user) && ($user->ldap_import!='1')) || str_contains(Route::currentRouteName(), 'clone'))
+                @if (($user->ldap_import!='1') || str_contains(Route::currentRouteName(), 'clone'))
                     <!-- Password Confirm -->
                     <div class="form-group {{ $errors->has('password_confirmation') ? 'has-error' : '' }}">
                       <label class="col-md-3 control-label" for="password_confirmation">
                         {{ trans('admin/users/table.password_confirm') }}
                       </label>
                       <div class="col-md-6">
-                        <input type="password" name="password_confirmation" id="password_confirm" class="form-control" value="" maxlength="500" autocomplete="off" aria-label="password_confirmation" {{  (!$user->id) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
+                        <input type="password" name="password_confirmation" id="password_confirm" class="form-control" value="" maxlength="500" autocomplete="off" aria-label="password_confirmation" {{  (!$user->id) ? ' required' : '' }} onfocus="this.removeAttribute('readonly');" readonly {{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo')) && ($user->id)) ? ' disabled' : '' }}>
+
+                      @cannot('canEditAuthFields', $user)
+                          <p class="help-block">
+                              <x-icon type="locked" />
+                              {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.password')]) }}
+                          </p>
+                      @endcan
 
                         @if (!Gate::allows('editableOnDemo') && ($user->id))
                               <p class="text-warning">
@@ -211,13 +216,21 @@
                           <div class="col-md-9 col-md-offset-3">
 
                               <!-- disallow changes to the user's login status -->
-                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) || ($user->id == auth()->user()->id))
+                              @if ((!Gate::allows('editableOnDemo')) || (!Gate::allows('canEditAuthFields', $user)) || ($user->id == auth()->user()->id))
                                   <!-- demo mode - disallow changes -->
                                   <label class="form-control form-control--disabled">
                                       <input type="checkbox" value="1" name="activated" class="disabled" {{ (old('activated', $user->activated)) == '1' ? ' checked="checked"' : '' }} disabled="disabled" aria-label="activated">
                                       {{ trans('admin/users/general.activated_help_text') }}
                                   </label>
 
+                                  @cannot('canEditAuthFields', $user)
+                                  <!-- authed user is an admin or regular user and is trying to edit someone higher -->
+                                      <p class="help-block">
+                                      <x-icon type="locked" />
+                                          {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.login_status')]) }}
+                                  </p>
+                                  @endcannot
+
                                   @cannot('editableOnDemo')
                                       <!-- app is locked -->
                                       <p class="text-warning">
@@ -226,14 +239,6 @@
                                       </p>
                                   @endcannot
 
-                                  @cannot('canEditSensitiveFieldsForCurrentUser', $user)
-                                  <!-- authed user is an admin or regular user and is trying to edit someone higher -->
-                                      <p class="help-block">
-                                      <x-icon type="locked" />
-                                          {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.login_status')]) }}
-                                  </p>
-                                  @endcannot
-
                                   @if ($user->id == auth()->user()->id)
                                       <!-- disallow editing activation on your own account -->
                                       <p class="help-block">
@@ -259,11 +264,19 @@
                 <div class="form-group {{ $errors->has('email') ? 'has-error' : '' }}">
                   <label class="col-md-3 control-label" for="email">{{ trans('admin/users/table.email') }} </label>
                   <div class="col-md-6">
-                      @can('canEditSensitiveFieldsForCurrentUser', $user)
                         <input class="form-control" type="email" name="email" id="email" maxlength="191" value="{{ old('email', $user->email) }}" autocomplete="off"
-                          readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ ((!Gate::allows('editableOnDemo') && ($user->id)) ? ' disabled' : '') }}>
+                          readonly onfocus="this.removeAttribute('readonly');" {{  (Helper::checkIfRequired($user, 'email')) ? ' required' : '' }}{{ (!Gate::allows('canEditAuthFields', $user)) || ((!Gate::allows('editableOnDemo') && ($user->id))) ? ' disabled' : '' }}>
 
-                          @if (!Gate::allows('editableOnDemo') && ($user->id))
+                          @cannot('canEditAuthFields', $user)
+                              <!-- authed user is an admin or regular user and is trying to edit someone higher -->
+                              <p class="help-block">
+                                  <x-icon type="locked" />
+                                  {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.email')]) }}
+                              </p>
+                          @endcannot
+
+
+                            @if (!Gate::allows('editableOnDemo') && ($user->id))
                               <p class="text-warning">
                                   <x-icon type="locked" />
                                   {{ trans('admin/users/table.lock_passwords') }}
@@ -271,12 +284,8 @@
                           @endif
 
                         {!! $errors->first('email', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
-                          @else
-                          <p class="help-block">
-                              <x-icon type="locked" />
-                                {{ trans('general.action_permission_generic', ['action' => trans('general.edit'), 'item_type' => trans('general.email')]) }}
-                          </p>
-                      @endcan
+
+
                   </div>
                 </div>
                   
@@ -303,7 +312,7 @@
                               <!-- everything here should be what is considered optional -->
                               <br>
                               <!-- Company -->
-                              @if ((Gate::allows('canEditSensitiveFieldsForCurrentUser', $user)) && (\App\Models\Company::canManageUsersCompanies()))
+                              @if ((Gate::allows('canEditAuthFields', $user)) && (\App\Models\Company::canManageUsersCompanies()))
                                   @include ('partials.forms.edit.company-select', ['translated_name' => trans('general.select_company'), 'fieldname' => 'company_id'])
                               @else
                                   @if ($user->company)