svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Acceptances: Fixed FD-55978 - Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Browse Source
This commit is contained in:
snipe
2026-06-12 19:15:36 +01:00
parent b40e227ad3
commit 802067f398
2 changed files with 139 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Feature/Reporting/DeleteAcceptanceAuthorizationTest.php
+95
View File
@@ -0,0 +1,95 @@
<?php
namespace Tests\Feature\Reporting;
use App\Models\Asset;
use App\Models\CheckoutAcceptance;
use App\Models\Company;
use App\Models\User;
use Tests\TestCase;
class DeleteAcceptanceAuthorizationTest extends TestCase
{
public function test_user_without_reports_view_cannot_delete_acceptance()
{
$acceptance = CheckoutAcceptance::factory()->pending()->create();
$this->actingAs(User::factory()->create())
->delete(route('reports/unaccepted_assets_delete', $acceptance->id))
->assertForbidden();
$this->assertNull($acceptance->fresh()->deleted_at);
}
public function test_reports_user_can_delete_acceptance_for_their_own_company()
{
$this->settings->enableMultipleFullCompanySupport();
[$companyA] = Company::factory()->count(2)->create();
$asset = Asset::factory()->create(['company_id' => $companyA->id]);
$reporter = User::factory()->canViewReports()->create(['company_id' => $companyA->id]);
$acceptance = CheckoutAcceptance::factory()->pending()->for($asset, 'checkoutable')->create();
$this->actingAs($reporter)
->delete(route('reports/unaccepted_assets_delete', $acceptance->id))
->assertRedirectToRoute('reports/unaccepted_assets')
->assertSessionHas('success');
$this->assertNotNull($acceptance->fresh()->deleted_at);
}
public function test_reports_user_cannot_delete_acceptance_belonging_to_another_company()
{
$this->settings->enableMultipleFullCompanySupport();
[$companyA, $companyB] = Company::factory()->count(2)->create();
$assetB = Asset::factory()->create(['company_id' => $companyB->id]);
$reporter = User::factory()->canViewReports()->create(['company_id' => $companyA->id]);
$acceptance = CheckoutAcceptance::factory()->pending()->for($assetB, 'checkoutable')->create();
$this->actingAs($reporter)
->delete(route('reports/unaccepted_assets_delete', $acceptance->id))
->assertRedirectToRoute('reports/unaccepted_assets')
->assertSessionHas('error');
$this->assertNull($acceptance->fresh()->deleted_at);
}
public function test_superuser_can_delete_acceptance_from_any_company()
{
$this->settings->enableMultipleFullCompanySupport();
[$companyA, $companyB] = Company::factory()->count(2)->create();
$assetB = Asset::factory()->create(['company_id' => $companyB->id]);
$superuser = User::factory()->superuser()->create(['company_id' => $companyA->id]);
$acceptance = CheckoutAcceptance::factory()->pending()->for($assetB, 'checkoutable')->create();
$this->actingAs($superuser)
->delete(route('reports/unaccepted_assets_delete', $acceptance->id))
->assertRedirectToRoute('reports/unaccepted_assets')
->assertSessionHas('success');
$this->assertNotNull($acceptance->fresh()->deleted_at);
}
public function test_company_scoping_not_enforced_when_fmcs_disabled()
{
$this->settings->disableMultipleFullCompanySupport();
[$companyA, $companyB] = Company::factory()->count(2)->create();
$assetB = Asset::factory()->create(['company_id' => $companyB->id]);
$reporter = User::factory()->canViewReports()->create(['company_id' => $companyA->id]);
$acceptance = CheckoutAcceptance::factory()->pending()->for($assetB, 'checkoutable')->create();
$this->actingAs($reporter)
->delete(route('reports/unaccepted_assets_delete', $acceptance->id))
->assertRedirectToRoute('reports/unaccepted_assets')
->assertSessionHas('success');
$this->assertNotNull($acceptance->fresh()->deleted_at);
}
}