svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

API: Fixed FD-55735- API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation

Browse Source
This commit is contained in:
snipe
2026-06-08 16:52:05 +01:00
parent abc4363e83
commit 9a8cbd6e00
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/LocationsController.php
+5 -1
View File
@@ -216,7 +216,7 @@ class LocationsController extends Controller
$location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
// check if parent is set and has a different company
if ($location->parent_id && Location::find($location->parent_id)->company_id != $location->company_id) {
response()->json(Helper::formatStandardApiResponse('error', null, 'different company than parent'));
return response()->json(Helper::formatStandardApiResponse('error', null, 'different company than parent'));
}
}
@@ -310,6 +310,10 @@ class LocationsController extends Controller
if (Helper::test_locations_fmcs(false, $id, $location->company_id)) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'error scoped locations'));
}
// check if parent is set and has a different company
if ($location->parent_id && Location::find($location->parent_id)->company_id != $location->company_id) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'different company than parent'));
}
} else {
$location->company_id = $request->input('company_id');
}
app/Http/Controllers/LocationsController.php
+4
View File
@@ -178,6 +178,10 @@ class LocationsController extends Controller
if (Helper::test_locations_fmcs(false, $location->id, $location->company_id)) {
return redirect()->back()->withInput()->withInput()->with('error', 'error scoped locations');
}
// check if parent is set and has a different company
if ($location->parent_id && Location::find($location->parent_id)->company_id != $location->company_id) {
return redirect()->back()->withInput()->withInput()->with('error', 'different company than parent');
}
} else {
$location->company_id = $request->input('company_id');
}