svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Kits: Fixed FD-55737 - Kit License Association Lacks Object-Level Authorization

Browse Source
This commit is contained in:
snipe
2026-06-08 21:55:16 +01:00
parent 144772cfbe
commit 0d870d540d
3 changed files with 153 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/PredefinedKitsController.php
+12
View File
@@ -6,6 +6,9 @@ use App\Helpers\Helper;
use App\Http\Controllers\Controller;
use App\Http\Transformers\PredefinedKitsTransformer;
use App\Http\Transformers\SelectlistTransformer;
use App\Models\Accessory;
use App\Models\Consumable;
use App\Models\License;
use App\Models\PredefinedKit;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
@@ -183,6 +186,9 @@ class PredefinedKitsController extends Controller
}
$license_id = $request->input('license');
$license = License::findOrFail($license_id);
$this->authorize('view', $license);
$relation = $kit->licenses();
if ($relation->find($license_id)) {
return response()->json(Helper::formatStandardApiResponse('error', null, ['license' => trans('admin/kits/general.license_error')]));
@@ -329,6 +335,9 @@ class PredefinedKitsController extends Controller
}
$consumable_id = $request->input('consumable');
$consumable = Consumable::findOrFail($consumable_id);
$this->authorize('view', $consumable);
$relation = $kit->consumables();
if ($relation->find($consumable_id)) {
return response()->json(Helper::formatStandardApiResponse('error', null, ['consumable' => trans('admin/kits/general.consumable_error')]));
@@ -402,6 +411,9 @@ class PredefinedKitsController extends Controller
}
$accessory_id = $request->input('accessory');
$accessory = Accessory::findOrFail($accessory_id);
$this->authorize('view', $accessory);
$relation = $kit->accessories();
if ($relation->find($accessory_id)) {
return response()->json(Helper::formatStandardApiResponse('error', null, ['accessory' => trans('admin/kits/general.accessory_error')]));
database/factories/UserFactory.php
+5
View File
@@ -430,6 +430,11 @@ class UserFactory extends Factory
return $this->appendPermission(['kits.delete' => '1']);
}
public function editPredefinedKits()
{
return $this->appendPermission(['kits.edit' => '1']);
}
public function viewPredefinedKits()
{
return $this->appendPermission(['kits.view' => '1']);
tests/Feature/PredefinedKits/Api/AttachKitItemsTest.php
+136
View File
@@ -0,0 +1,136 @@
<?php
namespace Tests\Feature\PredefinedKits\Api;
use App\Models\Accessory;
use App\Models\Consumable;
use App\Models\License;
use App\Models\PredefinedKit;
use App\Models\User;
use Tests\TestCase;
class AttachKitItemsTest extends TestCase
{
// -------------------------------------------------------------------------
// Licenses
// -------------------------------------------------------------------------
public function test_attaching_license_requires_kit_edit_permission()
{
$kit = PredefinedKit::factory()->create();
$license = License::factory()->create();
$this->actingAsForApi(User::factory()->viewLicenses()->create())
->postJson(route('api.kits.licenses.store', $kit), ['license' => $license->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_licenses', ['kit_id' => $kit->id, 'license_id' => $license->id]);
}
public function test_attaching_license_requires_view_permission_on_license()
{
$kit = PredefinedKit::factory()->create();
$license = License::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->create())
->postJson(route('api.kits.licenses.store', $kit), ['license' => $license->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_licenses', ['kit_id' => $kit->id, 'license_id' => $license->id]);
}
public function test_can_attach_license_with_both_permissions()
{
$kit = PredefinedKit::factory()->create();
$license = License::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->viewLicenses()->create())
->postJson(route('api.kits.licenses.store', $kit), ['license' => $license->id, 'quantity' => 1])
->assertOk()
->assertStatusMessageIs('success');
$this->assertDatabaseHas('kits_licenses', ['kit_id' => $kit->id, 'license_id' => $license->id]);
}
// -------------------------------------------------------------------------
// Consumables
// -------------------------------------------------------------------------
public function test_attaching_consumable_requires_kit_edit_permission()
{
$kit = PredefinedKit::factory()->create();
$consumable = Consumable::factory()->create();
$this->actingAsForApi(User::factory()->viewConsumables()->create())
->postJson(route('api.kits.consumables.store', $kit), ['consumable' => $consumable->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_consumables', ['kit_id' => $kit->id, 'consumable_id' => $consumable->id]);
}
public function test_attaching_consumable_requires_view_permission_on_consumable()
{
$kit = PredefinedKit::factory()->create();
$consumable = Consumable::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->create())
->postJson(route('api.kits.consumables.store', $kit), ['consumable' => $consumable->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_consumables', ['kit_id' => $kit->id, 'consumable_id' => $consumable->id]);
}
public function test_can_attach_consumable_with_both_permissions()
{
$kit = PredefinedKit::factory()->create();
$consumable = Consumable::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->viewConsumables()->create())
->postJson(route('api.kits.consumables.store', $kit), ['consumable' => $consumable->id, 'quantity' => 1])
->assertOk()
->assertStatusMessageIs('success');
$this->assertDatabaseHas('kits_consumables', ['kit_id' => $kit->id, 'consumable_id' => $consumable->id]);
}
// -------------------------------------------------------------------------
// Accessories
// -------------------------------------------------------------------------
public function test_attaching_accessory_requires_kit_edit_permission()
{
$kit = PredefinedKit::factory()->create();
$accessory = Accessory::factory()->create();
$this->actingAsForApi(User::factory()->viewAccessories()->create())
->postJson(route('api.kits.accessories.store', $kit), ['accessory' => $accessory->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_accessories', ['kit_id' => $kit->id, 'accessory_id' => $accessory->id]);
}
public function test_attaching_accessory_requires_view_permission_on_accessory()
{
$kit = PredefinedKit::factory()->create();
$accessory = Accessory::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->create())
->postJson(route('api.kits.accessories.store', $kit), ['accessory' => $accessory->id, 'quantity' => 1])
->assertForbidden();
$this->assertDatabaseMissing('kits_accessories', ['kit_id' => $kit->id, 'accessory_id' => $accessory->id]);
}
public function test_can_attach_accessory_with_both_permissions()
{
$kit = PredefinedKit::factory()->create();
$accessory = Accessory::factory()->create();
$this->actingAsForApi(User::factory()->editPredefinedKits()->viewAccessories()->create())
->postJson(route('api.kits.accessories.store', $kit), ['accessory' => $accessory->id, 'quantity' => 1])
->assertOk()
->assertStatusMessageIs('success');
$this->assertDatabaseHas('kits_accessories', ['kit_id' => $kit->id, 'accessory_id' => $accessory->id]);
}
}