Bumped version to v8.6.2

FMCS/Console: Fixed #19166 scope check updates for multiple companies, adds floater

.all-contributorsrc

@@ -4271,6 +4271,15 @@
       "contributions": [
         "code"
       ]
+    },
+    {
+      "login": "CybotTM",
+      "name": "Sebastian Mendel",
+      "avatar_url": "https://avatars.githubusercontent.com/u/326348?v=4",
+      "profile": "https://github.com/CybotTM",
+      "contributions": [
+        "code"
+      ]
     }
   ]
 }

.env.dev.docker

@@ -113,7 +113,7 @@ ENABLE_HSTS=false
 # --------------------------------------------
 CACHE_DRIVER=file
 SESSION_DRIVER=file
-QUEUE_DRIVER=sync
+QUEUE_CONNECTION=sync
 CACHE_PREFIX=snipeit
 
 # --------------------------------------------

.env.docker

@@ -37,6 +37,7 @@ MYSQL_ROOT_PASSWORD=changeme1234
 DB_PREFIX=null
 DB_DUMP_PATH='/usr/bin'
 DB_DUMP_SKIP_SSL=true
+DB_DUMP_SINGLE_TRANSACTION=false
 DB_CHARSET=utf8mb4
 DB_COLLATION=utf8mb4_unicode_ci
 
@@ -120,7 +121,7 @@ ENABLE_HSTS=false
 # --------------------------------------------
 CACHE_DRIVER=file
 SESSION_DRIVER=file
-QUEUE_DRIVER=sync
+QUEUE_CONNECTION=sync
 CACHE_PREFIX=snipeit
 
 # --------------------------------------------

.env.dusk.example

@@ -72,7 +72,7 @@ CORS_ALLOWED_ORIGINS="*"
 # --------------------------------------------
 CACHE_DRIVER=file
 SESSION_DRIVER=file
-QUEUE_DRIVER=sync
+QUEUE_CONNECTION=sync
 
 # --------------------------------------------
 # OPTIONAL: LOGIN THROTTLING

.env.example

@@ -32,6 +32,7 @@ DB_PASSWORD=null
 DB_PREFIX=null
 DB_DUMP_PATH='/usr/bin'
 DB_DUMP_SKIP_SSL=false
+DB_DUMP_SINGLE_TRANSACTION=false
 DB_CHARSET=utf8mb4
 DB_COLLATION=utf8mb4_unicode_ci
 DB_SANITIZE_BY_DEFAULT=false
@@ -133,7 +134,7 @@ BS_TABLE_DEEPLINK=true
 APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
 ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
-ENABLE_CSP=false
+ENABLE_CSP=true
 ADDITIONAL_CSP_URLS=null
 CORS_ALLOWED_ORIGINS=null
 ENABLE_HSTS=false
@@ -142,7 +143,7 @@ ENABLE_HSTS=false
 # OPTIONAL: CACHE SETTINGS
 # --------------------------------------------
 CACHE_DRIVER=file
-QUEUE_DRIVER=sync
+QUEUE_CONNECTION=sync
 CACHE_PREFIX=snipeit
 
 # --------------------------------------------
@@ -210,6 +211,7 @@ LOGIN_AUTOCOMPLETE=false
 RESET_PASSWORD_LINK_EXPIRES=15
 PASSWORD_CONFIRM_TIMEOUT=10800
 PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=50
+TWO_FACTOR_MAX_ATTEMPTS_PER_MIN=5
 INVITE_PASSWORD_LINK_EXPIRES=1500
 
 # --------------------------------------------

.github/workflows/ethicalcheck.yml

@@ -0,0 +1,69 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
+
+# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
+# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
+
+# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
+
+# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service.
+
+# How EthicalCheck works?
+# EthicalCheck functions in the following simple steps.
+# 1. Security Testing.
+# Provide your OpenAPI specification or start with a public Postman collection URL.
+# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
+# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
+
+# 2. Reporting.
+# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
+# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
+
+
+# This is a starter workflow to help you get started with EthicalCheck Actions
+
+name: EthicalCheck-Workflow
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "master" branch
+  # Customize trigger events based on your DevSecOps processes.
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '35 17 * * 6'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  Trigger_EthicalCheck:
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+
+    steps:
+       - name: EthicalCheck  Free & Automated API Security Testing Service
+         uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
+         with:
+          # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
+          oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
+          # The email address to which the penetration test report will be sent.
+          email: "snipe@snipe.net"
+          sarif-result-file: "ethicalcheck-results.sarif"
+
+       - name: Upload sarif file to repository
+         uses: github/codeql-action/upload-sarif@v4
+         with:
+          sarif_file: ./ethicalcheck-results.sarif
+

.github/workflows/tests-mysql.yml

@@ -28,6 +28,7 @@ jobs:
           - "8.2"
           - "8.3"
           - "8.4"
+          - "8.5"
 
     name: PHP ${{ matrix.php-version }}
 

.github/workflows/tests-postgres.yml

@@ -24,6 +24,7 @@ jobs:
           - "8.2"
           - "8.3"
           - "8.4"
+          - "8.5"
 
 
     name: PHP ${{ matrix.php-version }}

.github/workflows/tests-sqlite.yml

@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         php-version:
-          - "8.3"
+          - "8.5"
 
     name: PHP ${{ matrix.php-version }}
 

.upgrade_requirements.json

@@ -1,10 +1,10 @@
 {
-    "DOC1": "This file is meant to be pulled from the current HEAD of the desired branch, NOT referenced locally",
-    "DOC2": "In other words, what you see locally are the requirements for your _current_ install",
-    "DOC3": "Please don't rely on these versions for planning upgrades unless you've fetched the most recent version",
-    "DOC4": "You should really just ignore it and run upgrade.php. Really",
-    "php_min_version": "8.2.0",
-    "php_max_major_minor": "8.4",
-    "php_max_wontwork": "8.5.0",
-    "current_snipeit_version": "8.0"
+  "DOC1": "This file is meant to be pulled from the current HEAD of the desired branch, NOT referenced locally",
+  "DOC2": "In other words, what you see locally are the requirements for your _current_ install",
+  "DOC3": "Please don't rely on these versions for planning upgrades unless you've fetched the most recent version",
+  "DOC4": "You should really just ignore it and run upgrade.php. Really",
+  "php_min_version": "8.2.0",
+  "php_max_major_minor": "8.5",
+  "php_max_wontwork": "8.6.0",
+  "current_snipeit_version": "8.0"
 }

CLAUDE.md

@@ -0,0 +1,110 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Stack
+
+- **PHP 8.2+** / **Laravel 12** (framework), **Laravel Mix** (webpack) for frontend assets
+- **AdminLTE 2** / **Bootstrap 3** UI — Blade views, no Livewire/Inertia
+- **Chart.js v2.9.4** — bundled at `public/js/dist/Chart.min.js`; use `horizontalBar` type (v2 API, not v3)
+
+## Common Commands
+
+```bash
+# Run all tests
+php artisan test
+# or
+vendor/bin/phpunit
+
+# Run a single test file
+php artisan test tests/Feature/Assets/AssetsTest.php
+
+# Run a specific test method
+php artisan test --filter testSomeMethod
+
+# Build frontend assets (dev)
+npm run dev
+
+# Build for production
+npm run prod
+
+# Laravel Mix watch
+npm run watch
+
+# Tinker / REPL
+php artisan tinker
+
+# Clear caches after config/route changes
+php artisan optimize:clear
+```
+
+Dev server is served via **Laravel Herd** (`herd coverage` for coverage reports).
+
+## Architecture
+
+### Controllers
+
+Two parallel controller trees:
+- `app/Http/Controllers/` — web/UI controllers (Blade views)
+- `app/Http/Controllers/Api/` — REST API controllers (JSON, used by datatables + select2)
+
+Subdirectory groupings: `Assets/`, `Licenses/`, `Users/`, `Accessories/`, `Consumables/`, `Components/`, `Kits/`, `Account/`, `Auth/`
+
+### API Pattern
+
+Every API controller returns data via a **Transformer** (`app/Http/Transformers/`). Never return raw model attributes from API controllers — always pass through the transformer. `DatatablesTransformer` wraps paginated results.
+
+```php
+return (new AssetsTransformer)->transformAssets($assets, $assets->count());
+```
+
+### Authorization
+
+All authorization goes through **Policies** (`app/Policies/`). `CheckoutablePermissionsPolicy` is the base for assets/licenses/accessories/consumables — its `checkout()` / `checkin()` methods accept `$item = null` so you can use `@can('checkout', \App\Models\Asset::class)` without an instance.
+
+### FMCS (Full Multiple Company Support)
+
+`Setting::getSettings()->full_multiple_companies_support == '1'` gates company-scoped filtering. The select2 API endpoints (`selectlist()` methods) accept a `companyId` query param — apply it like this:
+
+```php
+if ((Setting::getSettings()->full_multiple_companies_support == '1') && ($request->filled('companyId'))) {
+    $query->where('table.company_id', $request->input('companyId'));
+}
+```
+
+Pass `data-company-id="{{ $user->company_id }}"` in Blade to wire it to select2.
+
+### Select2 AJAX Dropdowns
+
+Use `class="js-data-ajax"` with `data-endpoint="hardware|licenses|consumables|..."`. `snipeit.js` auto-initializes these, forwarding `data-company-id` as `companyId` and `data-asset-status-type` as `statusType` to the API.
+
+### Routes
+
+All routes are in `routes/web.php` (UI) and `routes/api.php` (API). Breadcrumbs are defined inline using `->breadcrumbs(fn (Trail $trail) => ...)` from `tabuna/breadcrumbs`. Every UI route should have a breadcrumb.
+
+Note: the `reports/unaccepted_assets` route is named with slashes, not dots — use `route('reports/unaccepted_assets')`.
+
+### Translations
+
+String keys live in `resources/lang/en-US/general.php` (and other files in that directory). Always add new UI strings as translation keys rather than hard-coding English.
+
+### Checkout Redirect Flow
+
+After checkout, `Helper::getRedirectOption()` reads `$request->redirect_option`. For redirecting back to the assigned user after checkout:
+- Set `redirect_option=target` in the form
+- Set `checkout_to_type=user` in the form
+- Set `assigned_user={{ $user->id }}` in the form
+
+### Key Helper Methods (`app/Helpers/Helper.php`)
+
+- `Helper::deployableStatusLabelList()` — status labels for checkout forms
+- `Helper::defaultChartColors()` — 10-color palette used in charts
+- `Helper::getRedirectOption($request, $id, $table)` — post-checkout redirect logic
+
+### Global View Variables
+
+`$snipeSettings` is injected into all views via a service provider — no need to pass `Setting::getSettings()` from every controller. Use it directly in Blade.
+
+## Testing
+
+Tests live in `tests/Feature/` (organized by entity) and `tests/Unit/`. Feature tests hit the database; the test environment uses `array` cache/session/mail drivers. Tests use factories for data setup.

CONTRIBUTORS.md

@@ -69,7 +69,7 @@ Thanks goes to all of these wonderful people ([emoji key](https://github.com/ken
 | [<img src="https://avatars.githubusercontent.com/u/10965027?v=4" width="110px;"/><br /><sub>Ellie</sub>](https://leafedfox.xyz/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=LeafedFox "Code") | [<img src="https://avatars.githubusercontent.com/u/20960555?v=4" width="110px;"/><br /><sub>GA Stamper</sub>](https://github.com/gastamper)<br />[💻](https://github.com/snipe/snipe-it/commits?author=gastamper "Code") | [<img src="https://avatars.githubusercontent.com/u/206553556?v=4" width="110px;"/><br /><sub>Guillaume Lefranc</sub>](https://github.com/gl-pup)<br />[💻](https://github.com/snipe/snipe-it/commits?author=gl-pup "Code") | [<img src="https://avatars.githubusercontent.com/u/733892?v=4" width="110px;"/><br /><sub>Hajo Möller</sub>](https://github.com/dasjoe)<br />[💻](https://github.com/snipe/snipe-it/commits?author=dasjoe "Code") | [<img src="https://avatars.githubusercontent.com/u/3420063?v=4" width="110px;"/><br /><sub>Istvan Basa</sub>](https://github.com/pottom)<br />[💻](https://github.com/snipe/snipe-it/commits?author=pottom "Code") | [<img src="https://avatars.githubusercontent.com/u/810824?v=4" width="110px;"/><br /><sub>JJ Asghar</sub>](https://jjasghar.github.io/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=jjasghar "Code") | [<img src="https://avatars.githubusercontent.com/u/40404495?v=4" width="110px;"/><br /><sub>James E. Msenga</sub>](https://github.com/JemCdo)<br />[💻](https://github.com/snipe/snipe-it/commits?author=JemCdo "Code") |
 | [<img src="https://avatars.githubusercontent.com/u/6865786?v=4" width="110px;"/><br /><sub>Jan Felix Wiebe</sub>](https://github.com/jfwiebe)<br />[💻](https://github.com/snipe/snipe-it/commits?author=jfwiebe "Code") | [<img src="https://avatars.githubusercontent.com/u/43412008?v=4" width="110px;"/><br /><sub>Jo Drexl</sub>](https://www.nfon.com/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=drexljo "Code") | [<img src="https://avatars.githubusercontent.com/u/4807843?v=4" width="110px;"/><br /><sub>Austin Sasko</sub>](https://github.com/austinsasko)<br />[💻](https://github.com/snipe/snipe-it/commits?author=austinsasko "Code") | [<img src="https://avatars.githubusercontent.com/u/4875039?v=4" width="110px;"/><br /><sub>Jasson</sub>](http://jassoncordones.github.io)<br />[💻](https://github.com/snipe/snipe-it/commits?author=JassonCordones "Code") | [<img src="https://avatars.githubusercontent.com/u/76069640?v=4" width="110px;"/><br /><sub>Okean</sub>](https://github.com/Tinyblargon)<br />[💻](https://github.com/snipe/snipe-it/commits?author=Tinyblargon "Code") | [<img src="https://avatars.githubusercontent.com/u/6515064?v=4" width="110px;"/><br /><sub>Alejandro Medrano</sub>](https://www.lst.tfo.upm.es/alejandro-medrano/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=amedranogil "Code") | [<img src="https://avatars.githubusercontent.com/u/58696401?v=4" width="110px;"/><br /><sub>Lukas Kraic</sub>](https://github.com/lukaskraic)<br />[💻](https://github.com/snipe/snipe-it/commits?author=lukaskraic "Code") |
 | [<img src="https://avatars.githubusercontent.com/u/1571724?v=4" width="110px;"/><br /><sub>Герхард PICCORO Lenz McKAY </sub>](https://github-readme-stats.vercel.app/api?username=mckaygerhard)<br />[💻](https://github.com/snipe/snipe-it/commits?author=mckaygerhard "Code") | [<img src="https://avatars.githubusercontent.com/u/15015119?v=4" width="110px;"/><br /><sub>Johannes Pollitt</sub>](https://github.com/FlorestanII)<br />[💻](https://github.com/snipe/snipe-it/commits?author=FlorestanII "Code") | [<img src="https://avatars.githubusercontent.com/u/14185442?v=4" width="110px;"/><br /><sub>Michael Strobel</sub>](https://strobelm.de)<br />[💻](https://github.com/snipe/snipe-it/commits?author=strobelm "Code") | [<img src="https://avatars.githubusercontent.com/u/634790?v=4" width="110px;"/><br /><sub>Nicky West</sub>](http://nickwest.me)<br />[💻](https://github.com/snipe/snipe-it/commits?author=nickwest "Code") | [<img src="https://avatars.githubusercontent.com/u/1347327?v=4" width="110px;"/><br /><sub>akaspeh1</sub>](https://github.com/akaspeh1)<br />[💻](https://github.com/snipe/snipe-it/commits?author=akaspeh1 "Code") | [<img src="https://avatars.githubusercontent.com/u/2880129?v=4" width="110px;"/><br /><sub>Sebastian Marsching</sub>](http://sebastian.marsching.com/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=smarsching "Code") | [<img src="https://avatars.githubusercontent.com/u/40658372?v=4" width="110px;"/><br /><sub>Mo</sub>](https://github.com/mohammad-ahmadi1)<br />[💻](https://github.com/snipe/snipe-it/commits?author=mohammad-ahmadi1 "Code") |
-| [<img src="https://avatars.githubusercontent.com/u/20994684?v=4" width="110px;"/><br /><sub>Owen V. Hayes</sub>](https://github.com/MarvelousAnything)<br />[💻](https://github.com/snipe/snipe-it/commits?author=MarvelousAnything "Code") | [<img src="https://avatars.githubusercontent.com/u/75509373?v=4" width="110px;"/><br /><sub>Peter Gallwas</sub>](https://www.husky.nz)<br />[💻](https://github.com/snipe/snipe-it/commits?author=Husky-Devel "Code") |
+| [<img src="https://avatars.githubusercontent.com/u/20994684?v=4" width="110px;"/><br /><sub>Owen V. Hayes</sub>](https://github.com/MarvelousAnything)<br />[💻](https://github.com/snipe/snipe-it/commits?author=MarvelousAnything "Code") | [<img src="https://avatars.githubusercontent.com/u/75509373?v=4" width="110px;"/><br /><sub>Peter Gallwas</sub>](https://www.husky.nz)<br />[💻](https://github.com/snipe/snipe-it/commits?author=Husky-Devel "Code") | [<img src="https://avatars.githubusercontent.com/u/326348?v=4" width="110px;"/><br /><sub>Sebastian Mendel</sub>](https://github.com/CybotTM)<br />[💻](https://github.com/snipe/snipe-it/commits?author=CybotTM "Code") |
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
 This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!

Dockerfile.fpm-alpine

@@ -56,6 +56,7 @@ COPY --from=mlocati/php-extension-installer:2.1.15 /usr/bin/install-php-extensio
 RUN set -eux; \
     install-php-extensions \
         bcmath \
+        exif \
         gd \
         ldap \
         mysqli \

README.md

@@ -7,7 +7,7 @@
 
 This is a FOSS project for asset management in IT Operations. Knowing who has which laptop, when it was purchased in order to depreciate it correctly, handling software licenses, etc.
 
-It is built on [Laravel 11](http://laravel.com).
+It is built on [Laravel 12](http://laravel.com).
 
 Snipe-IT is actively developed and we [release quite frequently](https://github.com/grokability/snipe-it/releases). ([Check out the live demo here](https://snipeitapp.com/demo/).)
 
@@ -98,6 +98,7 @@ Since the release of the JSON REST API, several third-party developers have been
 - [InQRy (archived)](https://github.com/Microsoft/InQRy) by [@Microsoft](https://github.com/Microsoft)
 - [Marksman (archived)](https://github.com/Scope-IT/marksman) - A Windows agent for Snipe-IT
 - [Python Module (archived)](https://github.com/jbloomer/SnipeIT-PythonAPI) by [@jbloomer](https://github.com/jbloomer)
+[IT-Tools](https://github.com/chrisnox/Snipeit-it-tools) by @chrisnox - Browser bookmarklets for PDF handover/return protocols, digital signatures, label printing (Zebra ZD410), AirWatch MDM sync and Lansweeper CSV import.
 
 We also have a handful of [Google Apps scripts](https://github.com/grokability/google-apps-scripts-for-snipe-it) to help with various tasks.
 

SECURITY.md

@@ -10,9 +10,9 @@ however there are times when library dependencies and/or PHP/MySQL dependencies
 make it impossible to backport security fixes on older versions. 
 
 | Version | Supported          |
-|---------| ------------------ |
+|---------|--------------------|
 | 8.x     | :white_check_mark: |
-| 7.x     | :white_check_mark: |
+| 7.x     | :x:                |
 | 6.x     | :x:                |
 | 5.1.x   | :x:                |
 | 5.0.x   | :x:                |
@@ -24,7 +24,18 @@ make it impossible to backport security fixes on older versions.
 Security vulnerabilities should be sent to security@snipeitapp.com. You can typically expect a 
 response within two business days, and we typically have fixes out in under a week from the initial disclosure.
 
-This obviously varies based on the severity of the  security issue and the difficulty in remediation, 
-but those have historically been the timelines we worm around.
+This obviously varies based on the severity of the security issue and the difficulty in remediation, but those have
+historically been the timelines we work around.
+
+We do ask that you do not disclose the vulnerability publicly until we have had a chance to address it and tag a release
+so that we can protect our users, and we will work
+with you to coordinate a public disclosure once we have a fix out. We will also work with you to ensure that you receive
+appropriate credit for the discovery of the vulnerability, if you would like to be credited. (Please provide a GitHub
+username or other information if you would like to be credited, and please let us know if you would like to remain
+anonymous.)
+
+For responsible disclosure, we ask that you give us at least __90 days__ to address the issue before disclosing it
+publicly,
+but we will work with you if you need to disclose it sooner than that.
 
 For a full breakdown of our security policies, please see https://snipeitapp.com/security.

app/Actions/Permissions/PreserveUnauthorizedPrivilegedPermissionsAction.php

@@ -13,8 +13,13 @@ final class PreserveUnauthorizedPrivilegedPermissionsAction
      * @param  array<string, mixed>  $originalPermissions
      * @return array<string, mixed>
      */
-    public static function run(array $requestedPermissions, User $authenticatedUser, array $originalPermissions = []): array
+    public static function run(array $requestedPermissions, User $authenticatedUser, array $originalPermissions = [], ?User $targetUser = null): array
     {
+        // Disallow non-admin/superuser users from modifying their own permissions, but allow them to modify other users' permissions (except for admin/superuser keys).
+        if ($targetUser && ! $authenticatedUser->isSuperUser() && $authenticatedUser->id === $targetUser->id) {
+            return $originalPermissions;
+        }
+
         if (! $authenticatedUser->isSuperUser()) {
             if (array_key_exists('superuser', $originalPermissions)) {
                 $requestedPermissions['superuser'] = $originalPermissions['superuser'];

app/Console/Commands/BulkDelete.php

@@ -0,0 +1,989 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Events\CheckoutableCheckedIn;
+use App\Mail\BulkDeleteReportMail;
+use App\Models\Accessory;
+use App\Models\AccessoryCheckout;
+use App\Models\Actionlog;
+use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
+use App\Models\Company;
+use App\Models\Component;
+use App\Models\Consumable;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\User;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Facades\Storage;
+use Symfony\Component\Console\Helper\ProgressBar;
+
+use function Laravel\Prompts\confirm;
+use function Laravel\Prompts\error;
+use function Laravel\Prompts\info;
+use function Laravel\Prompts\multisearch;
+use function Laravel\Prompts\multiselect;
+use function Laravel\Prompts\search;
+use function Laravel\Prompts\select;
+use function Laravel\Prompts\warning;
+
+class BulkDelete extends Command
+{
+    protected $signature = 'snipeit:checkin-delete-items';
+
+    protected $description = 'Interactively check in and/or delete items by company and type';
+
+    private const CHECKIN_NOTE = 'Checked in via bulk CLI operation';
+
+    private array $reportLines = [];
+
+    public function handle(): int
+    {
+        // Step 1: Dry run?
+        $dryRun = confirm(
+            label: 'Is this a dry run?',
+            default: true,
+            yes: 'Yes — preview only, no changes will be made',
+            no: 'No — LIVE RUN, changes WILL be made',
+        );
+
+        // Step 2: Who are you?
+        $adminId = search(
+            label: 'Who are you? Search by username, first or last name.',
+            placeholder: 'Type to search users...',
+            options: function (string $value): array {
+                if (strlen($value) < 1) {
+                    return [];
+                }
+
+                return User::where('activated', 1)
+                    ->whereNull('deleted_at')
+                    ->onlySuperAdmins()
+                    ->where(function ($query) use ($value) {
+                        $query->where('username', 'like', "%{$value}%")
+                            ->orWhere('first_name', 'like', "%{$value}%")
+                            ->orWhere('last_name', 'like', "%{$value}%")
+                            ->orWhereRaw("CONCAT(first_name, ' ', last_name) LIKE ?", ["%{$value}%"]);
+                    })
+                    ->get()
+                    ->mapWithKeys(fn (User $u) => [$u->id => "{$u->first_name} {$u->last_name} ({$u->username})"])
+                    ->toArray();
+            },
+            validate: fn (mixed $value) => ! $value ? 'A valid active user is required.' : null,
+        );
+
+        /** @var User $admin */
+        $admin = User::findOrFail((int) $adminId);
+
+        // Step 3: Which companies?
+        if (! Company::exists()) {
+            error('No companies found. Please create at least one company before using this command.');
+
+            return 1;
+        }
+
+        $selectedCompanyKeys = multisearch(
+            label: 'Which companies would you like to check in and delete items for?',
+            placeholder: 'Type to search companies...',
+            options: function (string $value): array {
+                $results = [];
+
+                if ($value === '' || str_contains('(no company / unassigned)', strtolower($value))) {
+                    $results['__null__'] = '(No Company / Unassigned)';
+                }
+
+                $query = Company::orderBy('name');
+                if ($value !== '') {
+                    $query->where('name', 'like', "%{$value}%");
+                }
+
+                $query->get()->each(function (Company $c) use (&$results) {
+                    $results[$c->id] = "{$c->name} (ID: {$c->id})";
+                });
+
+                return $results;
+            },
+            scroll: 10,
+            required: 'Please select at least one company.',
+            hint: 'If you\'re searching on several differently named companies, use the up-arrow to go back to the search box to search again. ',
+        );
+
+        $includeNullCompany = in_array('__null__', $selectedCompanyKeys);
+        $selectedCompanyIds = array_values(array_filter(
+            $selectedCompanyKeys,
+            fn ($k) => $k !== '__null__'
+        ));
+
+        $companyNamesById = Company::whereIn('id', $selectedCompanyIds)->pluck('name', 'id')->toArray();
+        $selectedCompanyNames = array_map(
+            fn ($id) => $id === '__null__' ? '(No Company)' : ($companyNamesById[$id] ?? "(ID: {$id})"),
+            $selectedCompanyKeys
+        );
+
+        // Step 4: Which item types?
+        $rawTypeSelection = multiselect(
+            label: 'What item types would you like to check in and delete?',
+            options: [
+                'all' => 'All Items (assets, licenses, accessories, components, consumables, users)',
+                'assets' => 'Assets',
+                'licenses' => 'Licenses',
+                'accessories' => 'Accessories',
+                'components' => 'Components',
+                'consumables' => 'Consumables',
+                'users' => 'Users',
+            ],
+            required: 'Please select at least one item type.',
+            hint: 'Select "All Items" to process every supported type.',
+        );
+
+        $allSubTypes = ['assets', 'licenses', 'accessories', 'components', 'consumables', 'users'];
+        $selectedTypes = in_array('all', $rawTypeSelection)
+            ? $allSubTypes
+            : array_values(array_intersect($allSubTypes, $rawTypeSelection));
+
+        // Compute and display counts now so the user can see what will be affected
+        $counts = $this->getCounts($selectedTypes, $selectedCompanyIds, $includeNullCompany);
+
+        $skipAdminUser = false;
+
+        $this->line('');
+        $this->line('  Items that would be affected:');
+        foreach ($counts as $type => $count) {
+            $this->line(sprintf('    %-14s %d', ucfirst($type).':', $count));
+        }
+
+        if (in_array('users', $selectedTypes)) {
+            $userInScope = $this->buildUserQuery($selectedCompanyIds, $includeNullCompany)
+                ->where('users.id', $admin->id)
+                ->exists();
+
+            if ($userInScope) {
+                $skipAdminUser = true;
+                $counts['users'] = max(0, ($counts['users'] ?? 0) - 1);
+                warning("  Your user ({$admin->username}) is within the selected scope and will be skipped during user deletion.");
+            }
+        }
+
+        $this->line('');
+
+        // Step 5: Hard delete, soft delete, or no delete?
+        $deleteType = select(
+            label: 'How should items be deleted?',
+            options: [
+                'soft' => 'Soft delete — items moved to trash (recoverable)',
+                'hard' => 'Hard delete — permanently removed (cannot be recovered)',
+                'none' => 'No delete — check in only, items remain in inventory',
+            ],
+            default: 'soft',
+        );
+
+        // Step 6: Send checkin notifications? (not applicable to users or consumables)
+        $notifiableTypes = array_intersect($selectedTypes, ['assets', 'licenses', 'accessories', 'components']);
+        $sendNotifications = false;
+
+        if (! empty($notifiableTypes)) {
+            $sendNotifications = confirm(
+                label: 'Should we send checkin notifications?',
+                default: true,
+                hint: 'Applies to: '.implode(', ', $notifiableTypes).'. Users and consumables are excluded.',
+            );
+        }
+
+        // Step 7: Clear related action_logs?
+        $clearLogs = confirm(
+            label: 'Should we clear related action logs?',
+            default: false,
+            hint: 'This removes all history for affected items, as if the data never existed.',
+        );
+
+        // Step 8: Delete associated files?
+        $deleteFiles = false;
+        if ($deleteType !== 'none') {
+            $deleteFiles = confirm(
+                label: 'Should we also delete associated image and upload files?',
+                default: $deleteType === 'hard',
+                hint: 'Permanently removes images, avatars, signatures, EULAs, and action log uploads from disk.',
+            );
+        }
+
+        // Step 9: Delete the companies themselves?
+        $deleteCompanyType = 'keep';
+        if (! empty($selectedCompanyIds)) {
+            $deleteCompanyType = select(
+                label: 'Should the selected companies also be deleted?',
+                options: [
+                    'keep' => 'Keep — do not delete the companies',
+                    'soft' => 'Soft delete — companies moved to trash (recoverable)',
+                    'hard' => 'Hard delete — permanently removed (cannot be recovered)',
+                ],
+                default: 'keep',
+            );
+        }
+
+        // Step 10: Backup first?
+        $doBackup = confirm(
+            label: 'Should we run a backup before proceeding?',
+            default: true,
+            hint: 'Strongly recommended. Saved as backup-before-bulk-delete-cli-[datetime].zip',
+        );
+
+        // Step 11: Summary + final confirmation
+        $this->line('');
+        $this->line('  ════════════════════════════════════════════════════');
+        $this->line('   SUMMARY OF ACTIONS');
+        $this->line('  ════════════════════════════════════════════════════');
+        $this->line("   Admin user:      {$admin->first_name} {$admin->last_name} ({$admin->username})");
+        $this->line('   Companies:       '.implode(', ', $selectedCompanyNames));
+        $this->line('   Item types:      '.implode(', ', $selectedTypes));
+        $this->line("   Delete mode:     {$deleteType}");
+        $this->line('   Notifications:   '.($sendNotifications ? 'Yes' : 'No'));
+        $this->line('   Clear logs:      '.($clearLogs ? 'Yes' : 'No'));
+        $this->line('   Delete files:    '.($deleteFiles ? 'Yes' : 'No'));
+        $this->line('   Delete companies: '.($deleteCompanyType === 'keep' ? 'No' : ucfirst($deleteCompanyType).' delete'));
+        $this->line('   Backup first:    '.($doBackup ? 'Yes' : 'No'));
+        $this->line('   Dry run:         '.($dryRun ? 'Yes' : 'No'));
+        $this->line('');
+        $this->line('   Items to be processed:');
+        foreach ($counts as $type => $count) {
+            $this->line(sprintf('     %-14s %d', ucfirst($type).':', $count));
+        }
+        if ($skipAdminUser) {
+            $this->line('   * Your user account will be skipped during user deletion.');
+        }
+        $this->line('  ════════════════════════════════════════════════════');
+        $this->line('');
+
+        // Step 10.5: Email report?
+        $sendEmailReport = false;
+        if ($admin->email) {
+            $sendEmailReport = confirm(
+                label: "Send an email report to {$admin->email}?",
+                default: false,
+                hint: 'A summary of all '.($dryRun ? 'would-be ' : '').'actions will be emailed to you.',
+            );
+        }
+
+        if (! $dryRun) {
+            $confirmed = confirm(
+                label: 'Are you sure you want to proceed? This cannot be undone.',
+                default: false,
+            );
+
+            if (! $confirmed) {
+                info('Aborted. No changes were made.');
+
+                return 0;
+            }
+        }
+
+        // Run backup if requested
+        if ($doBackup && ! $dryRun) {
+            $backupFilename = 'backup-before-bulk-delete-cli-'.now()->format('Y-m-d-H-i-s');
+            info("Running backup ({$backupFilename}.zip)...");
+            $result = $this->callSilently('snipeit:backup', ['--filename' => $backupFilename]);
+            if ($result === 0) {
+                info("Backup completed: {$backupFilename}.zip");
+            } else {
+                warning("Backup may have failed (exit code {$result}). Proceeding anyway.");
+            }
+        }
+
+        // Step 11: Execute with progress bar
+        $totalItems = array_sum($counts);
+        $bar = $this->output->createProgressBar($totalItems > 0 ? $totalItems : 1);
+        $bar->setFormat(' %current%/%max% [%bar%] %percent:3s%% %message%');
+        $bar->setMessage('Starting...');
+        $bar->start();
+
+        foreach ($selectedTypes as $type) {
+            match ($type) {
+                'assets' => $this->processAssets($selectedCompanyIds, $includeNullCompany, $sendNotifications, $admin, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+                'licenses' => $this->processLicenses($selectedCompanyIds, $includeNullCompany, $sendNotifications, $admin, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+                'accessories' => $this->processAccessories($selectedCompanyIds, $includeNullCompany, $sendNotifications, $admin, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+                'components' => $this->processComponents($selectedCompanyIds, $includeNullCompany, $sendNotifications, $admin, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+                'consumables' => $this->processConsumables($selectedCompanyIds, $includeNullCompany, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+                'users' => $this->processUsers($selectedCompanyIds, $includeNullCompany, $admin, $skipAdminUser, $dryRun, $deleteType, $clearLogs, $deleteFiles, $bar),
+            };
+        }
+
+        $bar->setMessage('Done.');
+        $bar->finish();
+        $this->line('');
+        $this->line('');
+
+        // Delete companies if requested
+        if ($deleteCompanyType !== 'keep' && ! empty($selectedCompanyIds)) {
+            $companies = Company::whereIn('id', $selectedCompanyIds)->get();
+            foreach ($companies as $company) {
+                if ($dryRun) {
+                    $this->line("  [dry-run] Would {$deleteCompanyType}-delete company {$company->name}");
+                    $this->reportLines[] = "Would {$deleteCompanyType}-delete company {$company->name}";
+                } else {
+                    if ($deleteCompanyType === 'soft') {
+                        $company->delete();
+                    } else {
+                        $company->forceDelete();
+                    }
+                    // Remove any remaining pivot associations (e.g. the admin user who was
+                    // skipped during user processing but is still a member of this company)
+                    DB::table('company_user')->where('company_id', $company->id)->delete();
+                    $this->reportLines[] = ucfirst($deleteCompanyType)."-deleted company {$company->name}";
+                }
+            }
+        }
+
+        if ($dryRun) {
+            warning('Dry run complete — no changes were made.');
+        } else {
+            info('All actions completed successfully.');
+        }
+
+        if ($sendEmailReport && $admin->email) {
+            Mail::to($admin->email)->send(new BulkDeleteReportMail(
+                admin: $admin,
+                dryRun: $dryRun,
+                companyNames: $selectedCompanyNames,
+                selectedTypes: $selectedTypes,
+                deleteType: $deleteType,
+                reportLines: $this->reportLines,
+                runAt: now(),
+            ));
+            info("Report sent to {$admin->email}.");
+        }
+
+        return 0;
+    }
+
+    private function getCounts(array $types, array $companyIds, bool $includeNull): array
+    {
+        $counts = [];
+
+        if (in_array('assets', $types)) {
+            $counts['assets'] = $this->buildCompanyQuery(Asset::query(), $companyIds, $includeNull)->count();
+        }
+        if (in_array('licenses', $types)) {
+            $counts['licenses'] = $this->buildCompanyQuery(License::query(), $companyIds, $includeNull)->count();
+        }
+        if (in_array('accessories', $types)) {
+            $counts['accessories'] = $this->buildCompanyQuery(Accessory::query(), $companyIds, $includeNull)->count();
+        }
+        if (in_array('components', $types)) {
+            $counts['components'] = $this->buildCompanyQuery(Component::query(), $companyIds, $includeNull)->count();
+        }
+        if (in_array('consumables', $types)) {
+            $counts['consumables'] = $this->buildCompanyQuery(Consumable::query(), $companyIds, $includeNull)->count();
+        }
+        if (in_array('users', $types)) {
+            $counts['users'] = $this->buildUserQuery($companyIds, $includeNull)->count();
+        }
+
+        return $counts;
+    }
+
+    private function buildCompanyQuery(Builder $query, array $companyIds, bool $includeNull): Builder
+    {
+        return $query->where(function (Builder $q) use ($companyIds, $includeNull) {
+            if (! empty($companyIds)) {
+                $q->whereIn('company_id', $companyIds);
+            }
+            if ($includeNull) {
+                $method = ! empty($companyIds) ? 'orWhereNull' : 'whereNull';
+                $q->{$method}('company_id');
+            }
+        });
+    }
+
+    private function buildUserQuery(array $companyIds, bool $includeNull): Builder
+    {
+        return User::query()
+            ->where('activated', 1)
+            ->where(function (Builder $q) use ($companyIds, $includeNull) {
+                if (! empty($companyIds)) {
+                    $q->whereIn('company_id', $companyIds);
+                }
+                if ($includeNull) {
+                    $method = ! empty($companyIds) ? 'orWhereNull' : 'whereNull';
+                    $q->{$method}('company_id');
+                }
+            });
+    }
+
+    private function processAssets(
+        array $companyIds,
+        bool $includeNull,
+        bool $sendNotifications,
+        User $admin,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $assets = $this->buildCompanyQuery(Asset::query(), $companyIds, $includeNull)->get();
+
+        foreach ($assets as $asset) {
+            $bar->setMessage("Assets: {$asset->asset_tag}");
+
+            if ($asset->assignedTo) {
+                if ($dryRun) {
+                    $this->line("  [dry-run] Would check in asset {$asset->asset_tag} from {$asset->assignedTo->name}");
+                    $this->reportLines[] = "Would check in asset {$asset->asset_tag} (assigned to {$asset->assignedTo->name})";
+                } else {
+                    $target = $asset->assignedTo;
+                    $checkinAt = now()->format('Y-m-d H:i:s');
+                    $originalValues = $asset->getRawOriginal();
+
+                    if ($sendNotifications) {
+                        event(new CheckoutableCheckedIn($asset, $target, $admin, self::CHECKIN_NOTE, $checkinAt, $originalValues));
+                        DB::table('assets')->where('id', $asset->id)->update(['assigned_to' => null, 'assigned_type' => null]);
+                    } else {
+                        DB::table('assets')->where('id', $asset->id)->update(['assigned_to' => null, 'assigned_type' => null]);
+                        $asset->logCheckin($target, self::CHECKIN_NOTE, $checkinAt, $originalValues);
+                    }
+
+                    $this->reportLines[] = "Checked in asset {$asset->asset_tag} from {$target->name}";
+                    $asset->licenseseats()->update(['assigned_to' => null]);
+
+                    CheckoutAcceptance::where('checkoutable_type', Asset::class)
+                        ->where('checkoutable_id', $asset->id)
+                        ->whereNull('accepted_at')
+                        ->whereNull('declined_at')
+                        ->forceDelete();
+                }
+            }
+
+            if (! $dryRun) {
+                // Collect action log file paths before logs may be cleared
+                $actionLogPaths = $deleteFiles
+                    ? $asset->assetlog()->whereNotNull('filename')->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                // Delete checkout acceptance files, then hard-remove all acceptances
+                if ($deleteFiles) {
+                    CheckoutAcceptance::where('checkoutable_type', Asset::class)
+                        ->where('checkoutable_id', $asset->id)
+                        ->get()
+                        ->each(fn (CheckoutAcceptance $ca) => $this->deleteAcceptanceFiles($ca));
+                }
+                CheckoutAcceptance::where('checkoutable_type', Asset::class)
+                    ->where('checkoutable_id', $asset->id)
+                    ->forceDelete();
+
+                // Hard-delete-only cleanup: maintenance records, accessory checkouts to this
+                // asset, and any other assets that were assigned to this one
+                $maintenanceImages = [];
+                if ($deleteType === 'hard') {
+                    if ($deleteFiles) {
+                        $maintenanceImages = $asset->maintenances()
+                            ->whereNotNull('image')
+                            ->pluck('image')
+                            ->toArray();
+                    }
+                    $asset->maintenances()->forceDelete();
+                    AccessoryCheckout::where('assigned_to', $asset->id)
+                        ->where('assigned_type', Asset::class)
+                        ->delete();
+                    DB::table('assets')
+                        ->where('assigned_to', $asset->id)
+                        ->where('assigned_type', Asset::class)
+                        ->update(['assigned_to' => null, 'assigned_type' => null]);
+                }
+
+                match ($deleteType) {
+                    'soft' => $asset->delete(),
+                    'hard' => $asset->forceDelete(),
+                    default => null,
+                };
+
+                if ($deleteType !== 'none') {
+                    $this->reportLines[] = ucfirst($deleteType)."-deleted asset {$asset->asset_tag}";
+                }
+
+                if ($clearLogs) {
+                    $asset->assetlog()->forceDelete();
+                }
+
+                if ($deleteFiles) {
+                    if ($asset->image) {
+                        $this->deleteStorageFile('public', app('assets_upload_path').$asset->image);
+                    }
+                    foreach ($maintenanceImages as $img) {
+                        $this->deleteStorageFile('public', app('maintenances_upload_path').$img);
+                    }
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete asset {$asset->asset_tag}");
+                $this->reportLines[] = "Would {$deleteType}-delete asset {$asset->asset_tag}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function processLicenses(
+        array $companyIds,
+        bool $includeNull,
+        bool $sendNotifications,
+        User $admin,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $licenses = $this->buildCompanyQuery(License::query(), $companyIds, $includeNull)->get();
+
+        foreach ($licenses as $license) {
+            $bar->setMessage("Licenses: {$license->name}");
+
+            $seats = LicenseSeat::where('license_id', $license->id)
+                ->where(fn ($q) => $q->whereNotNull('assigned_to')->orWhereNotNull('asset_id'))
+                ->get();
+
+            foreach ($seats as $seat) {
+                $target = $seat->assigned_to ? $seat->user : $seat->asset;
+
+                if ($dryRun) {
+                    $this->line("  [dry-run] Would check in license seat for {$license->name} from ".($target?->name ?? $target?->asset_tag ?? 'unknown'));
+                    $this->reportLines[] = "Would check in license seat for {$license->name} from ".($target?->name ?? $target?->asset_tag ?? 'unknown');
+                } else {
+                    $seat->assigned_to = null;
+                    $seat->asset_id = null;
+                    $seat->save();
+
+                    $this->reportLines[] = "Checked in license seat for {$license->name} from ".($target?->name ?? $target?->asset_tag ?? 'unknown');
+
+                    if ($target) {
+                        if ($sendNotifications) {
+                            event(new CheckoutableCheckedIn($seat, $target, $admin, self::CHECKIN_NOTE));
+                        } else {
+                            $seat->logCheckin($target, self::CHECKIN_NOTE);
+                        }
+                    }
+                }
+            }
+
+            if (! $dryRun) {
+                // Collect action log file paths before logs may be cleared
+                $actionLogPaths = $deleteFiles
+                    ? $license->assetlog()->whereNotNull('filename')->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                if ($deleteType === 'soft') {
+                    $license->licenseseats()->delete();
+                    $license->delete();
+                    $this->reportLines[] = "Soft-deleted license {$license->name}";
+                } elseif ($deleteType === 'hard') {
+                    $seatIds = $license->licenseseats()->pluck('id');
+                    if ($deleteFiles) {
+                        CheckoutAcceptance::where('checkoutable_type', LicenseSeat::class)
+                            ->whereIn('checkoutable_id', $seatIds)
+                            ->get()
+                            ->each(fn (CheckoutAcceptance $ca) => $this->deleteAcceptanceFiles($ca));
+                    }
+                    CheckoutAcceptance::where('checkoutable_type', LicenseSeat::class)
+                        ->whereIn('checkoutable_id', $seatIds)
+                        ->forceDelete();
+                    $license->licenseseats()->forceDelete();
+                    DB::table('kits_licenses')->where('license_id', $license->id)->delete();
+                    $license->forceDelete();
+                    $this->reportLines[] = "Hard-deleted license {$license->name}";
+                }
+
+                if ($clearLogs) {
+                    $license->assetlog()->forceDelete();
+                }
+
+                if ($deleteFiles) {
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete license {$license->name}");
+                $this->reportLines[] = "Would {$deleteType}-delete license {$license->name}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function processAccessories(
+        array $companyIds,
+        bool $includeNull,
+        bool $sendNotifications,
+        User $admin,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $accessories = $this->buildCompanyQuery(Accessory::query(), $companyIds, $includeNull)->get();
+
+        foreach ($accessories as $accessory) {
+            $bar->setMessage("Accessories: {$accessory->name}");
+
+            $checkouts = AccessoryCheckout::where('accessory_id', $accessory->id)->get();
+
+            foreach ($checkouts as $checkout) {
+                $target = $checkout->assignedTo;
+
+                if ($dryRun) {
+                    $this->line("  [dry-run] Would check in accessory {$accessory->name} from ".($target?->name ?? 'unknown'));
+                    $this->reportLines[] = "Would check in accessory {$accessory->name} from ".($target?->name ?? 'unknown');
+                } else {
+                    $checkinAt = now()->format('Y-m-d H:i:s');
+                    $checkout->delete();
+
+                    $this->reportLines[] = "Checked in accessory {$accessory->name} from ".($target?->name ?? 'unknown');
+
+                    if ($target) {
+                        if ($sendNotifications) {
+                            event(new CheckoutableCheckedIn($accessory, $target, $admin, self::CHECKIN_NOTE, $checkinAt));
+                        } else {
+                            $accessory->logCheckin($target, self::CHECKIN_NOTE, $checkinAt);
+                        }
+                    }
+                }
+            }
+
+            if (! $dryRun) {
+                // Collect action log file paths before logs may be cleared
+                $actionLogPaths = $deleteFiles
+                    ? $accessory->assetlog()->whereNotNull('filename')->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                if ($clearLogs) {
+                    $accessory->assetlog()->forceDelete();
+                }
+
+                if ($deleteType === 'hard') {
+                    DB::table('kits_accessories')->where('accessory_id', $accessory->id)->delete();
+                }
+
+                match ($deleteType) {
+                    'soft' => $accessory->delete(),
+                    'hard' => $accessory->forceDelete(),
+                    default => null,
+                };
+
+                if ($deleteType !== 'none') {
+                    $this->reportLines[] = ucfirst($deleteType)."-deleted accessory {$accessory->name}";
+                }
+
+                if ($deleteFiles) {
+                    if ($accessory->image) {
+                        $this->deleteStorageFile('public', app('accessories_upload_path').$accessory->image);
+                    }
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete accessory {$accessory->name}");
+                $this->reportLines[] = "Would {$deleteType}-delete accessory {$accessory->name}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function processComponents(
+        array $companyIds,
+        bool $includeNull,
+        bool $sendNotifications,
+        User $admin,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $components = $this->buildCompanyQuery(Component::query(), $companyIds, $includeNull)->get();
+
+        foreach ($components as $component) {
+            $bar->setMessage("Components: {$component->name}");
+
+            $assignments = DB::table('components_assets')
+                ->where('component_id', $component->id)
+                ->get();
+
+            foreach ($assignments as $assignment) {
+                $asset = Asset::find($assignment->asset_id);
+
+                if ($dryRun) {
+                    $this->line("  [dry-run] Would check in component {$component->name} from asset ".($asset?->asset_tag ?? 'unknown'));
+                    $this->reportLines[] = "Would check in component {$component->name} from asset ".($asset?->asset_tag ?? 'unknown');
+                } else {
+                    $checkinAt = now()->format('Y-m-d H:i:s');
+                    DB::table('components_assets')->where('id', $assignment->id)->delete();
+
+                    $this->reportLines[] = "Checked in component {$component->name} from asset ".($asset?->asset_tag ?? 'unknown');
+
+                    if ($asset) {
+                        if ($sendNotifications) {
+                            event(new CheckoutableCheckedIn($component, $asset, $admin, self::CHECKIN_NOTE, $checkinAt));
+                        } else {
+                            $component->logCheckin($asset, self::CHECKIN_NOTE, $checkinAt);
+                        }
+                    }
+                }
+            }
+
+            if (! $dryRun) {
+                // Collect action log file paths before logs may be cleared
+                $actionLogPaths = $deleteFiles
+                    ? $component->assetlog()->whereNotNull('filename')->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                if ($clearLogs) {
+                    $component->assetlog()->forceDelete();
+                }
+
+                match ($deleteType) {
+                    'soft' => $component->delete(),
+                    'hard' => $component->forceDelete(),
+                    default => null,
+                };
+
+                if ($deleteType !== 'none') {
+                    $this->reportLines[] = ucfirst($deleteType)."-deleted component {$component->name}";
+                }
+
+                if ($deleteFiles) {
+                    if ($component->image) {
+                        $this->deleteStorageFile('public', app('components_upload_path').$component->image);
+                    }
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete component {$component->name}");
+                $this->reportLines[] = "Would {$deleteType}-delete component {$component->name}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function processConsumables(
+        array $companyIds,
+        bool $includeNull,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $consumables = $this->buildCompanyQuery(Consumable::query(), $companyIds, $includeNull)->get();
+
+        foreach ($consumables as $consumable) {
+            $bar->setMessage("Consumables: {$consumable->name}");
+
+            if (! $dryRun) {
+                // Collect action log file paths before logs may be cleared
+                $actionLogPaths = $deleteFiles
+                    ? $consumable->assetlog()->whereNotNull('filename')->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                if ($clearLogs) {
+                    $consumable->assetlog()->forceDelete();
+                }
+
+                if ($deleteType === 'hard') {
+                    DB::table('kits_consumables')->where('consumable_id', $consumable->id)->delete();
+                }
+
+                match ($deleteType) {
+                    'soft' => $consumable->delete(),
+                    'hard' => $consumable->forceDelete(),
+                    default => null,
+                };
+
+                if ($deleteType !== 'none') {
+                    $this->reportLines[] = ucfirst($deleteType)."-deleted consumable {$consumable->name}";
+                }
+
+                if ($deleteFiles) {
+                    if ($consumable->image) {
+                        $this->deleteStorageFile('public', app('consumables_upload_path').$consumable->image);
+                    }
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete consumable {$consumable->name}");
+                $this->reportLines[] = "Would {$deleteType}-delete consumable {$consumable->name}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function processUsers(
+        array $companyIds,
+        bool $includeNull,
+        User $admin,
+        bool $skipAdminUser,
+        bool $dryRun,
+        string $deleteType,
+        bool $clearLogs,
+        bool $deleteFiles,
+        ProgressBar $bar,
+    ): void {
+        $users = $this->buildUserQuery($companyIds, $includeNull)->get();
+
+        foreach ($users as $user) {
+            if ($skipAdminUser && $user->id === $admin->id) {
+                continue;
+            }
+
+            $bar->setMessage("Users: {$user->username}");
+
+            // If real companies were selected, check whether this user also belongs to
+            // companies outside the selected scope. If so, only remove the selected-company
+            // associations and skip full deletion to avoid orphaning them from their other companies.
+            if (! empty($companyIds)) {
+                $allUserCompanyIds = array_unique(array_filter(array_merge(
+                    $user->companies()->pluck('companies.id')->toArray(),
+                    $user->company_id ? [$user->company_id] : [],
+                )));
+                $outsideCompanyIds = array_values(array_diff($allUserCompanyIds, $companyIds));
+
+                if (! empty($outsideCompanyIds)) {
+                    $outsideNames = Company::whereIn('id', $outsideCompanyIds)->pluck('name')->implode(', ');
+
+                    if ($dryRun) {
+                        $this->line("  [dry-run] Would partially disassociate user {$user->username} (also belongs to: {$outsideNames})");
+                        $this->reportLines[] = "Would partially disassociate user {$user->username} — also belongs to: {$outsideNames}";
+                    } else {
+                        $user->companies()->detach($companyIds);
+                        warning("  Skipped full deletion of {$user->username}: they also belong to {$outsideNames}. Removed selected company associations only.");
+                        $this->reportLines[] = "Partially disassociated user {$user->username} — also belongs to: {$outsideNames}. Full deletion skipped.";
+                    }
+
+                    $bar->advance();
+
+                    continue;
+                }
+            }
+
+            if (! $dryRun) {
+                // Collect file paths and acceptance records before deleting pivot data
+                $acceptancesToDelete = $deleteFiles
+                    ? CheckoutAcceptance::where('assigned_to_id', $user->id)->get()
+                    : collect();
+
+                $actionLogPaths = $deleteFiles
+                    ? Actionlog::where('item_type', User::class)
+                        ->where('item_id', $user->id)
+                        ->where('action_type', 'uploaded')
+                        ->whereNotNull('filename')
+                        ->get()
+                        ->map(fn (Actionlog $log) => $log->uploads_file_path())
+                        ->filter()
+                        ->values()
+                        ->toArray()
+                    : [];
+
+                // Clear pivot/assignment data that will orphan on deletion
+                LicenseSeat::where('assigned_to', $user->id)->update(['assigned_to' => null]);
+                AccessoryCheckout::where('assigned_to', $user->id)
+                    ->where('assigned_type', User::class)
+                    ->delete();
+                DB::table('consumables_users')->where('assigned_to', $user->id)->delete();
+                CheckoutAcceptance::where('assigned_to_id', $user->id)->forceDelete();
+                if ($deleteType === 'hard') {
+                    DB::table('company_user')->where('user_id', $user->id)->delete();
+                }
+
+                if ($clearLogs) {
+                    $user->userlog()->forceDelete();
+                }
+
+                match ($deleteType) {
+                    'soft' => $user->delete(),
+                    'hard' => $user->forceDelete(),
+                    default => null,
+                };
+
+                if ($deleteType !== 'none') {
+                    $this->reportLines[] = ucfirst($deleteType)."-deleted user {$user->username}";
+                }
+
+                if ($deleteFiles) {
+                    if ($user->avatar) {
+                        $this->deleteStorageFile('public', app('users_upload_path').$user->avatar);
+                    }
+                    $acceptancesToDelete->each(fn (CheckoutAcceptance $ca) => $this->deleteAcceptanceFiles($ca));
+                    foreach ($actionLogPaths as $path) {
+                        $this->deleteStorageFile('local', $path);
+                    }
+                }
+            } elseif ($deleteType !== 'none') {
+                $this->line("  [dry-run] Would {$deleteType}-delete user {$user->username}");
+                $this->reportLines[] = "Would {$deleteType}-delete user {$user->username}";
+            }
+
+            $bar->advance();
+        }
+    }
+
+    private function deleteStorageFile(string $disk, ?string $path): void
+    {
+        if (! $path) {
+            return;
+        }
+        try {
+            $storage = $disk === 'public'
+                ? Storage::disk('public')
+                : Storage::disk(config('filesystems.default'));
+            if ($storage->exists($path)) {
+                $storage->delete($path);
+            }
+        } catch (\Exception $e) {
+            Log::warning("Could not delete file {$path}: ".$e->getMessage());
+        }
+    }
+
+    private function deleteAcceptanceFiles(CheckoutAcceptance $acceptance): void
+    {
+        if ($acceptance->signature_filename) {
+            $this->deleteStorageFile('local', 'private_uploads/signatures/'.$acceptance->signature_filename);
+        }
+        if ($acceptance->stored_eula_file) {
+            $this->deleteStorageFile('local', 'private_uploads/eula-pdfs/'.$acceptance->stored_eula_file);
+        }
+    }
+}

app/Console/Commands/CheckinAndDeleteItems.php

@@ -0,0 +1,308 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Events\CheckoutableCheckedIn;
+use App\Models\Accessory;
+use App\Models\AccessoryCheckout;
+use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
+use App\Models\Component;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\User;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Facades\DB;
+
+class CheckinAndDeleteItems extends Command
+{
+    protected $signature = 'snipeit:checkin-delete-all
+        {--company-id= : Only process items belonging to this company ID}
+        {--admin-id= : ID of the user credited for the checkins (defaults to first superadmin)}
+        {--no-notifications : Suppress email and webhook notifications}
+        {--type=all : Comma-separated types to process: assets, licenses, accessories, components, or all}
+        {--note= : Note recorded on each checkin action log entry}
+        {--dry-run : Preview what would be processed without making any changes}
+        {--force : Skip the confirmation prompt}';
+
+    protected $description = 'Check in all assigned items and soft-delete them, optionally scoped to a company';
+
+    public function handle(): int
+    {
+        $companyId = $this->option('company-id');
+        $noNotifications = $this->option('no-notifications');
+        $dryRun = $this->option('dry-run');
+        $typeOption = $this->option('type') ?? 'all';
+        $note = $this->option('note') ?: 'Checked in and deleted via CLI';
+
+        $allTypes = ['assets', 'licenses', 'accessories', 'components'];
+        $typesToProcess = $typeOption === 'all'
+            ? $allTypes
+            : array_intersect(array_map('trim', explode(',', $typeOption)), $allTypes);
+
+        if (empty($typesToProcess)) {
+            $this->error('Invalid --type value. Use: assets, licenses, accessories, components, or all.');
+
+            return 1;
+        }
+
+        $admin = null;
+        if (! $dryRun && ! $noNotifications) {
+            if ($this->option('admin-id')) {
+                $admin = User::find($this->option('admin-id'));
+                if (! $admin) {
+                    $this->error('No user found with admin-id '.$this->option('admin-id').'.');
+
+                    return 1;
+                }
+            } else {
+                $admin = User::onlySuperAdmins()->first();
+            }
+
+            if (! $admin) {
+                $this->warn('No admin user found — notifications will be suppressed.');
+                $noNotifications = true;
+            }
+        }
+
+        $scopeMsg = $companyId ? "company ID {$companyId}" : 'all companies';
+        $typesMsg = implode(', ', $typesToProcess);
+
+        if ($dryRun) {
+            $this->warn('DRY RUN — no changes will be made.');
+        } elseif (! $this->option('force')) {
+            if (! $this->confirm("This will check in and soft-delete all [{$typesMsg}] for [{$scopeMsg}]. Continue?")) {
+                $this->info('Aborted.');
+
+                return 0;
+            }
+        }
+
+        if (in_array('assets', $typesToProcess)) {
+            $this->processAssets($companyId, $noNotifications, $note, $admin, $dryRun);
+        }
+
+        if (in_array('licenses', $typesToProcess)) {
+            $this->processLicenses($companyId, $noNotifications, $note, $admin, $dryRun);
+        }
+
+        if (in_array('accessories', $typesToProcess)) {
+            $this->processAccessories($companyId, $noNotifications, $note, $admin, $dryRun);
+        }
+
+        if (in_array('components', $typesToProcess)) {
+            $this->processComponents($companyId, $noNotifications, $note, $admin, $dryRun);
+        }
+
+        if ($dryRun) {
+            $this->warn('Dry run complete — no changes were made.');
+        }
+
+        return 0;
+    }
+
+    private function processAssets(?string $companyId, bool $noNotifications, string $note, ?User $admin, bool $dryRun): void
+    {
+        $query = Asset::query();
+        if ($companyId) {
+            $query->where('company_id', $companyId);
+        }
+
+        $assets = $query->get();
+        $checkedIn = 0;
+        $deleted = 0;
+
+        foreach ($assets as $asset) {
+            if ($asset->assignedTo) {
+                if ($dryRun) {
+                    $this->line('  Would check in asset: '.$asset->asset_tag.' (assigned to '.$asset->assignedTo->name.')');
+                } else {
+                    $target = $asset->assignedTo;
+                    $checkin_at = now()->format('Y-m-d H:i:s');
+                    $originalValues = $asset->getRawOriginal();
+
+                    if ($noNotifications) {
+                        DB::table('assets')->where('id', $asset->id)
+                            ->update(['assigned_to' => null, 'assigned_type' => null]);
+                        $asset->logCheckin($target, $note, $checkin_at, $originalValues);
+                    } else {
+                        // Fire event before clearing so the log captures the original state
+                        event(new CheckoutableCheckedIn($asset, $target, $admin, $note, $checkin_at, $originalValues));
+                        DB::table('assets')->where('id', $asset->id)
+                            ->update(['assigned_to' => null, 'assigned_type' => null]);
+                    }
+
+                    $asset->licenseseats()->update(['assigned_to' => null]);
+
+                    CheckoutAcceptance::pending()
+                        ->whereHasMorph('checkoutable', [Asset::class], fn (Builder $q) => $q->where('id', $asset->id))
+                        ->delete();
+                }
+
+                $checkedIn++;
+            }
+
+            if ($dryRun) {
+                $this->line('  Would delete asset: '.$asset->asset_tag);
+            } else {
+                $asset->delete();
+            }
+
+            $deleted++;
+        }
+
+        $action = $dryRun ? 'would be' : 'were';
+        $this->info("Assets: {$checkedIn} {$action} checked in, {$deleted} {$action} deleted.");
+    }
+
+    private function processLicenses(?string $companyId, bool $noNotifications, string $note, ?User $admin, bool $dryRun): void
+    {
+        $query = License::query();
+        if ($companyId) {
+            $query->where('company_id', $companyId);
+        }
+
+        $licenses = $query->get();
+        $seatsCheckedIn = 0;
+        $deleted = 0;
+
+        foreach ($licenses as $license) {
+            $seats = LicenseSeat::where('license_id', $license->id)
+                ->where(fn ($q) => $q->whereNotNull('assigned_to')->orWhereNotNull('asset_id'))
+                ->get();
+
+            foreach ($seats as $seat) {
+                $target = $seat->assigned_to ? $seat->user : $seat->asset;
+
+                if ($dryRun) {
+                    $this->line('  Would check in license seat for: '.$license->name.' (assigned to '.($target?->name ?? $target?->asset_tag ?? 'unknown').')');
+                } else {
+                    $seat->assigned_to = null;
+                    $seat->asset_id = null;
+                    $seat->save();
+
+                    if ($target) {
+                        if ($noNotifications) {
+                            $seat->logCheckin($target, $note);
+                        } else {
+                            event(new CheckoutableCheckedIn($seat, $target, $admin, $note));
+                        }
+                    }
+                }
+
+                $seatsCheckedIn++;
+            }
+
+            if ($dryRun) {
+                $this->line('  Would delete license: '.$license->name);
+            } else {
+                $license->licenseseats()->delete();
+                $license->delete();
+            }
+
+            $deleted++;
+        }
+
+        $action = $dryRun ? 'would be' : 'were';
+        $this->info("Licenses: {$seatsCheckedIn} seats {$action} checked in, {$deleted} licenses {$action} deleted.");
+    }
+
+    private function processAccessories(?string $companyId, bool $noNotifications, string $note, ?User $admin, bool $dryRun): void
+    {
+        $query = Accessory::query();
+        if ($companyId) {
+            $query->where('company_id', $companyId);
+        }
+
+        $accessories = $query->get();
+        $checkedIn = 0;
+        $deleted = 0;
+
+        foreach ($accessories as $accessory) {
+            $checkouts = AccessoryCheckout::where('accessory_id', $accessory->id)->get();
+
+            foreach ($checkouts as $checkout) {
+                $target = $checkout->assignedTo;
+
+                if ($dryRun) {
+                    $this->line('  Would check in accessory: '.$accessory->name.' (assigned to '.($target?->name ?? $target?->asset_tag ?? 'unknown').')');
+                } else {
+                    $checkin_at = now()->format('Y-m-d H:i:s');
+                    $checkout->delete();
+
+                    if ($target) {
+                        if ($noNotifications) {
+                            $accessory->logCheckin($target, $note, $checkin_at);
+                        } else {
+                            event(new CheckoutableCheckedIn($accessory, $target, $admin, $note, $checkin_at));
+                        }
+                    }
+                }
+
+                $checkedIn++;
+            }
+
+            if ($dryRun) {
+                $this->line('  Would delete accessory: '.$accessory->name);
+            } else {
+                $accessory->delete();
+            }
+
+            $deleted++;
+        }
+
+        $action = $dryRun ? 'would be' : 'were';
+        $this->info("Accessories: {$checkedIn} {$action} checked in, {$deleted} {$action} deleted.");
+    }
+
+    private function processComponents(?string $companyId, bool $noNotifications, string $note, ?User $admin, bool $dryRun): void
+    {
+        $query = Component::query();
+        if ($companyId) {
+            $query->where('company_id', $companyId);
+        }
+
+        $components = $query->get();
+        $checkedIn = 0;
+        $deleted = 0;
+
+        foreach ($components as $component) {
+            $assignments = DB::table('components_assets')
+                ->where('component_id', $component->id)
+                ->get();
+
+            foreach ($assignments as $assignment) {
+                $asset = Asset::find($assignment->asset_id);
+
+                if ($dryRun) {
+                    $this->line('  Would check in component: '.$component->name.' (assigned to '.($asset?->asset_tag ?? 'unknown').')');
+                } else {
+                    $checkin_at = now()->format('Y-m-d H:i:s');
+                    DB::table('components_assets')->where('id', $assignment->id)->delete();
+
+                    if ($asset) {
+                        if ($noNotifications) {
+                            $component->logCheckin($asset, $note, $checkin_at);
+                        } else {
+                            event(new CheckoutableCheckedIn($component, $asset, $admin, $note, $checkin_at));
+                        }
+                    }
+                }
+
+                $checkedIn++;
+            }
+
+            if ($dryRun) {
+                $this->line('  Would delete component: '.$component->name);
+            } else {
+                $component->delete();
+            }
+
+            $deleted++;
+        }
+
+        $action = $dryRun ? 'would be' : 'were';
+        $this->info("Components: {$checkedIn} {$action} checked in, {$deleted} {$action} deleted.");
+    }
+}

app/Console/Commands/CleanIncorrectCheckoutAcceptances.php

@@ -30,41 +30,77 @@ class CleanIncorrectCheckoutAcceptances extends Command
     {
         $deletions = 0;
         $skips = 0;
+        $total = CheckoutAcceptance::count();
 
-        // This walks *every* checkoutacceptance. That's gnarly. But necessary
-        $this->withProgressBar(CheckoutAcceptance::all(), function ($checkoutAcceptance) use (&$deletions, &$skips) {
-            $item = $checkoutAcceptance->checkoutable;
-            $checkout_to_id = $checkoutAcceptance->assigned_to_id;
-            if (is_null($item)) {
-                $this->info("'Checkoutable' Item is null, going to next record");
+        $this->info("Processing {$total} checkout acceptances...");
+        $bar = $this->output->createProgressBar($total);
+        $bar->start();
 
-                return; // 'false' allegedly breaks execution entirely, so 'true' maybe doesn't? hrm. just straight return maybe?
-            }
-            if (get_class($item) == LicenseSeat::class) {
-                $item = $item->license;
-            }
-            foreach ($item->assetlog()->where('action_type', 'checkout')->get() as $assetlog) {
-                if ($assetlog->target_id == $checkout_to_id && $assetlog->target_type != User::class) {
-                    // We have a checkout-to an ID for a non-User, which matches to an ID in the checkout_acceptances table
+        // Chunk to avoid loading the whole table into memory; eager-load checkoutable
+        // to eliminate the N+1 on that relationship.
+        CheckoutAcceptance::with('checkoutable')
+            ->chunkById(500, function ($chunk) use (&$deletions, &$skips, $bar) {
+                $idsToDelete = [];
 
-                    // now, let's compare the _times_ - are they close?
-                    // I'm picking `created_at` over `action_date` because I'm more interested in when the actionlogs
-                    // were _created_, not when they were alleged to have happened - those created_at times need to be within 'X' seconds of
-                    // each other (currently 5)
-                    if ($assetlog->created_at->diffInSeconds($checkoutAcceptance->created_at, true) <= 5) { // we're allowing for five _ish_ seconds of slop
-                        $deletions++;
-                        $checkoutAcceptance->forceDelete(); // HARD delete this record; it should have never been
+                foreach ($chunk as $checkoutAcceptance) {
+                    $item = $checkoutAcceptance->checkoutable;
+                    $checkout_to_id = $checkoutAcceptance->assigned_to_id;
 
-                        return;
-                    } else {
-                        // $this->info("The two records are too far apart");
+                    if (is_null($item)) {
+                        $skips++;
+                        $bar->advance();
+
+                        continue;
                     }
-                } else {
-                    // $this->info("No match! checkout to id: " . $checkout_to_id." target_id: ".$assetlog->target_id." target_type: ".$assetlog->target_type);
+
+                    if (get_class($item) === LicenseSeat::class) {
+                        $item = $item->license;
+                        if (is_null($item)) {
+                            $skips++;
+                            $bar->advance();
+
+                            continue;
+                        }
+                    }
+
+                    if (is_null($checkoutAcceptance->created_at)) {
+                        $skips++;
+                        $bar->advance();
+
+                        continue;
+                    }
+
+                    // Push all filtering (including the ±5-second window) into the DB;
+                    // exists() returns as soon as one matching row is found rather than
+                    // fetching all checkout logs into PHP.
+                    $shouldDelete = $item->assetlog()
+                        ->where('action_type', 'checkout')
+                        ->where('target_id', $checkout_to_id)
+                        ->where('target_type', '!=', User::class)
+                        ->whereBetween('created_at', [
+                            $checkoutAcceptance->created_at->copy()->subSeconds(5),
+                            $checkoutAcceptance->created_at->copy()->addSeconds(5),
+                        ])
+                        ->exists();
+
+                    if ($shouldDelete) {
+                        $idsToDelete[] = $checkoutAcceptance->id;
+                        $deletions++;
+                    } else {
+                        $skips++;
+                    }
+
+                    $bar->advance();
                 }
-            }
-            $skips++;
-        });
-        $this->error("Final deletion count: $deletions, and skip count: $skips");
+
+                // Bulk-delete the bad records in one query per chunk instead of one per row.
+                if (! empty($idsToDelete)) {
+                    CheckoutAcceptance::whereIn('id', $idsToDelete)->forceDelete();
+                }
+            });
+
+        $bar->finish();
+        $this->newLine();
+        $this->info("Final deletion count: {$deletions}, and skip count: {$skips}");
     }
 }

app/Console/Commands/LdapSync.php

@@ -19,7 +19,7 @@ class LdapSync extends Command
      *
      * @var string
      */
-    protected $signature = 'snipeit:ldap-sync {--location=} {--location_id=*} {--base_dn=} {--filter=} {--summary} {--json_summary}';
+    protected $signature = 'snipeit:ldap-sync {--location=} {--location_id=*} {--base_dn=} {--filter=} {--delete} {--summary} {--json_summary}';
 
     /**
      * The console command description.
@@ -94,6 +94,7 @@ class LdapSync extends Command
         }
 
         $summary = [];
+        $seen_ldap_usernames = [];
 
         try {
 
@@ -274,8 +275,14 @@ class LdapSync extends Command
                 'name' => $item['department'],
             ]);
 
-            $user = User::where('username', $item['username'])->first();
+            $user = User::withTrashed()->where('username', $item['username'])->first();
+            if (! empty($item['username'])) {
+                $seen_ldap_usernames[] = $item['username'];
+            }
             if ($user) {
+                if ($user->trashed()) {
+                    $user->restore();
+                }
                 // Updating an existing user.
                 $item['createorupdate'] = 'updated';
             } else {
@@ -490,6 +497,41 @@ class LdapSync extends Command
             array_push($summary, $item);
         }
 
+        // Optionally soft-delete LDAP-imported users that are no longer present in LDAP.
+        // users with assests etc. are not deletable and skipped
+        if ($this->option('delete')) {
+            $missing_ldap_users = User::where('ldap_import', 1);
+            $missing_ldap_users = $missing_ldap_users->whereNotIn('username', $seen_ldap_usernames);
+            $missing_ldap_users = $missing_ldap_users->get();
+
+            foreach ($missing_ldap_users as $missing_user) {
+                $is_deletable = $this->isUserDeletable($missing_user);
+
+                $missing_item = [
+                    'id' => $missing_user->id,
+                    'username' => $missing_user->username,
+                    'firstname' => $missing_user->first_name,
+                    'lastname' => $missing_user->last_name,
+                    'email' => $missing_user->email,
+                    'createorupdate' => 'skipped',
+                    'status' => 'info',
+                    'deletable' => $is_deletable,
+                    'note' => $is_deletable ? 'missing from LDAP' : 'missing from LDAP, but not deletable',
+                ];
+
+                if ($is_deletable) {
+                    $missing_user->delete();
+                    $missing_item['createorupdate'] = 'deleted';
+                    $missing_item['status'] = 'success';
+                    $missing_item['note'] = 'deleted_missing_from_ldap';
+                }
+
+                $summary[] = $missing_item;
+            }
+        }
+
+
+
         if ($this->option('summary')) {
             for ($x = 0; $x < count($summary); $x++) {
                 if ($summary[$x]['status'] == 'error') {
@@ -505,4 +547,23 @@ class LdapSync extends Command
             return $summary;
         }
     }
+
+    /**
+     * Checks if the user is deletable without gate check
+     * 
+     * A user is considered deletable if they have no associated assets, accessories, licenses, consumables, managed users, or managed locations.
+     * 
+     * @param User $user The user to check
+     * 
+     * @return bool True if the user is deletable, false otherwise
+     */
+    private function isUserDeletable(User $user): bool
+    {
+        return (($user->assets_count ?? $user->assets()->count()) === 0)
+            && (($user->accessories_count ?? $user->accessories()->count()) === 0)
+            && (($user->licenses_count ?? $user->licenses()->count()) === 0)
+            && (($user->consumables_count ?? $user->consumables()->count()) === 0)
+            && (($user->manages_users_count ?? $user->managesUsers()->count()) === 0)
+            && (($user->manages_locations_count ?? $user->managedLocations()->count()) === 0);
+    }
 }

app/Console/Commands/PurgeEulaPDFs.php

@@ -15,7 +15,9 @@ class PurgeEulaPDFs extends Command
      * @var string
      */
     protected $signature = 'snipeit:purge-eula-pdfs  
-                            {--older-than-days= : The number of days we should delete before } 
+                            {--older-than-days= : The number of days we should delete before }
+                            {--company-id= : Only purge acceptances for users in this company}
+                            {--only-deleted-users : Only purge acceptances for deleted users, including soft-deleted or missing users}
                             {--force : Skip the interactive yes/no prompt for confirmation}
                             {--dryrun : Show the records that would be deleted but don\'t update the database or delete files from disk}
                             {--with-output : Display the results in a table in your console}';
@@ -55,7 +57,34 @@ class PurgeEulaPDFs extends Command
             $this->info('This script is being run with the --dryrun option. No files or records will be deleted.');
 
         }
-        $acceptances = CheckoutAcceptance::HasFiles()->where('updated_at', '<', $interval_date)->with('assignedTo')->get();
+        $companyId = $this->option('company-id');
+        $query = CheckoutAcceptance::HasFiles()->where('updated_at', '<', $interval_date)
+            ->with([
+                'assignedTo' => function ($query) {
+                    $query->withTrashed();
+                },
+            ]);
+
+        if ($this->option('only-deleted-users')) {
+            $query->where(function ($query) use ($companyId) {
+                $query->whereHas('assignedTo', function ($q) use ($companyId) {
+                    $q->withTrashed()->whereNotNull('deleted_at');
+
+                    if ($companyId) {
+                        $q->where('company_id', $companyId);
+                    }
+                });
+
+                $query->orWhereDoesntHave('assignedTo');
+            });
+        } else {
+            if ($companyId) {
+                $query->whereHas('assignedTo', function ($query) use ($companyId) {
+                    $query->withTrashed()->where('company_id', $companyId);
+                });
+            }
+        }
+        $acceptances = $query->get();
 
         if (! $this->option('force')) {
             if ($this->confirm("\n****************************************************\nTHIS WILL DELETE ALL OF THE SIGNATURES AND EULA PDF FILES SINCE $interval_date. \nThere is NO undo! \n****************************************************\n\nDo you wish to continue? No backsies! [y|N]")) {

app/Console/Commands/ResetDemoSettings.php

@@ -5,6 +5,7 @@ namespace App\Console\Commands;
 use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Hash;
 
 class ResetDemoSettings extends Command
 {
@@ -47,7 +48,7 @@ class ResetDemoSettings extends Command
         $settings->auto_increment_assets = 1;
         $settings->logo = 'snipe-logo.png';
         $settings->alert_email = 'service@snipe-it.io';
-        $settings->login_note = 'Use `admin` / `password` to login to the demo.';
+        $settings->login_note = "Use any of the following credentials to login to the demo:\n\n- `admin` / `password`\n- `assets` / `password`\n- `testuser` / `password`";
         $settings->header_color = '#3c8dbc';
         $settings->link_dark_color = '#5fa4cc';
         $settings->link_light_color = '#296282;';
@@ -85,6 +86,44 @@ class ResetDemoSettings extends Command
             $user->save();
         }
 
+        $assetsUser = User::updateOrCreate(
+            ['username' => 'assets'],
+            [
+                'first_name' => 'Assets',
+                'last_name' => 'User',
+                'password' => Hash::make('password'),
+                'activated' => 1,
+            ]
+        );
+        $assetsUser->permissions = json_encode([
+            'assets.view' => 1,
+            'assets.create' => 1,
+            'assets.edit' => 1,
+            'assets.delete' => 1,
+            'assets.checkout' => 1,
+            'assets.checkin' => 1,
+            'assets.audit' => 1,
+            'assets.files' => 1,
+            'assets.view.requestable' => 1,
+            'assets.view.encrypted_custom_fields' => 1,
+        ]);
+        $assetsUser->save();
+
+        $testUser = User::updateOrCreate(
+            ['username' => 'testuser'],
+            [
+                'first_name' => 'Test',
+                'last_name' => 'User',
+                'password' => Hash::make('password'),
+                'activated' => 1,
+            ]
+        );
+        $testUser->permissions = json_encode([
+            'self.checkout_assets' => 1,
+            'assets.view.requestable' => 1,
+        ]);
+        $testUser->save();
+
         \Storage::disk('public')->put('snipe-logo.png', file_get_contents(public_path('img/demo/snipe-logo.png')));
         \Storage::disk('public')->put('snipe-logo-lg.png', file_get_contents(public_path('img/demo/snipe-logo-lg.png')));
 

app/Console/Commands/RestoreFromBackup.php

@@ -456,7 +456,11 @@ class RestoreFromBackup extends Command
         if (! file_exists($mysql_binary)) {
             return $this->error("mysql tool at: '$mysql_binary' does not exist, cannot restore. Please edit DB_DUMP_PATH in your .env to point to a directory that contains the mysqldump and mysql binary");
         }
-        $proc_results = proc_open("$mysql_binary -h ".escapeshellarg(config('database.connections.mysql.host')).' -u '.escapeshellarg(config('database.connections.mysql.username')).' '.escapeshellarg(config('database.connections.mysql.database')), // yanked -p since we pass via ENV
+        $proc_results = proc_open("$mysql_binary -h " .
+            escapeshellarg(config('database.connections.mysql.host')) .
+            ' -u ' . escapeshellarg(config('database.connections.mysql.username')) . ' ' .
+            ' -P ' . escapeshellarg(config('database.connections.mysql.port')) . ' ' .
+            escapeshellarg(config('database.connections.mysql.database')), // yanked -p since we pass via ENV
             [0 => ['pipe', 'r'], 1 => ['pipe', 'w'], 2 => ['pipe', 'w']],
             $pipes,
             null,

app/Console/Commands/Version.php

@@ -4,6 +4,9 @@ namespace App\Console\Commands;
 
 use Illuminate\Console\Command;
 
+use function Laravel\Prompts\info;
+use function Laravel\Prompts\select;
+
 class Version extends Command
 {
     /**
@@ -11,7 +14,7 @@ class Version extends Command
      *
      * @var string
      */
-    protected $signature = 'version:update {--branch=master} {--type=patch}';
+    protected $signature = 'version:update';
 
     /**
      * The console command description.
@@ -37,30 +40,40 @@ class Version extends Command
      */
     public function handle()
     {
-        $use_branch = $this->option('branch');
-        $use_type = $this->option('type');
+        $use_branch = select(
+            label: 'Which branch?',
+            options: ['master', 'develop'],
+            default: 'develop',
+        );
+
+        $use_type = select(
+            label: 'Which release type?',
+            options: [
+                'hash' => 'Hash bump',
+                'patch' => 'Patch release',
+                'minor' => 'Minor release',
+                'major' => 'Major release',
+                'pre-patch' => 'Pre-patch release',
+                'pre-minor' => 'Pre-minor release',
+                'pre-major' => 'Pre-major release',
+            ],
+            default: 'hash',
+            scroll: 7,
+        );
+
         $git_branch = trim(shell_exec('git rev-parse --abbrev-ref HEAD'));
         $build_version = trim(shell_exec('git rev-list --count '.$use_branch));
         $versionFile = 'config/version.php';
         $full_hash_version = str_replace("\n", '', shell_exec('git describe master --tags'));
 
         $version = explode('-', $full_hash_version);
-        $app_version = $current_app_version = $version[0];
+        $app_version = $version[0];
         $hash_version = (array_key_exists('2', $version)) ? $version[2] : '';
         $prerelease_version = '';
 
-        $this->line('Branch is: '.$use_branch);
-        $this->line('Type is: '.$use_type);
-        $this->line('Current version is: '.$full_hash_version);
-
-        if (count($version) == 3) {
-            $this->line('This does not look like an alpha/beta release.');
-        } else {
-            if (array_key_exists('3', $version)) {
-                $this->line('The current version looks like a beta release.');
-                $prerelease_version = $version[1];
-                $hash_version = $version[3];
-            }
+        if (array_key_exists('3', $version)) {
+            $prerelease_version = $version[1];
+            $hash_version = $version[3];
         }
 
         $app_version_raw = explode('.', $app_version);
@@ -74,54 +87,52 @@ class Version extends Command
             $patch = $app_version_raw[2];
         }
 
-        if ($use_type == 'major') {
+        if ($use_type === 'major') {
             $app_version = 'v'.($maj + 1).".$min.$patch";
-        } elseif ($use_type == 'minor') {
+        } elseif ($use_type === 'minor') {
             $app_version = 'v'."$maj.".($min + 1).".$patch";
-        } elseif ($use_type == 'pre') {
-            $pre_raw = str_replace('beta', '', $prerelease_version);
-            $pre_raw = str_replace('alpha', '', $pre_raw);
-            $pre_raw = str_ireplace('rc', '', $pre_raw);
-            $pre_raw = $pre_raw++;
-            $this->line('Setting the pre-release to '.$prerelease_version.'-'.$pre_raw);
-            $app_version = 'v'."$maj.".($min + 1).".$patch";
-        } elseif ($use_type == 'patch') {
+        } elseif ($use_type === 'pre-patch') {
+            $app_version = 'v'."$maj.$min.".($patch + 1).'-pre';
+        } elseif ($use_type === 'pre-minor') {
+            $app_version = 'v'."$maj.".($min + 1).'.0-pre';
+        } elseif ($use_type === 'pre-major') {
+            $app_version = 'v'.($maj + 1).'.0.0-pre';
+        } elseif ($use_type === 'patch') {
             $app_version = 'v'."$maj.$min.".($patch + 1);
-            // If nothing is passed, leave the version as it is, just increment the build
-        } else {
-            $app_version = 'v'."$maj.$min.".$patch;
         }
 
-        // Determine if this tag already exists, or if this prior to a release
-        $this->line('Running: git rev-parse master '.$current_app_version);
-        // $pre_release = trim(shell_exec('git rev-parse '.$use_branch.' '.$current_app_version.' 2>&1 1> /dev/null'));
-
-        if ($use_branch == 'develop') {
+        if ($use_branch === 'develop' && ! str_ends_with($app_version, '-pre')) {
             $app_version = $app_version.'-pre';
         }
 
+        $full_hash_version = str_replace($version[0], $app_version, $full_hash_version);
         $full_app_version = $app_version.' - build '.$build_version.'-'.$hash_version;
 
-        $array = var_export(
-            [
-                'app_version' => $app_version,
-                'full_app_version' => $full_app_version,
-                'build_version' => $build_version,
-                'prerelease_version' => $prerelease_version,
-                'hash_version' => $hash_version,
-                'full_hash' => $full_hash_version,
-                'branch' => $git_branch, ],
-            true
-        );
+        $content = <<<PHP
+        <?php
 
-        // Construct our file content
-        $content = <<<CON
-<?php
-return $array;
-CON;
+        return [
+            'app_version' => '$app_version',
+            'full_app_version' => '$full_app_version',
+            'build_version' => '$build_version',
+            'prerelease_version' => '$prerelease_version',
+            'hash_version' => '$hash_version',
+            'full_hash' => '$full_hash_version',
+            'branch' => '$git_branch',
+        ];
+
+        PHP;
 
-        // And finally write the file and output the current version
         \File::put($versionFile, $content);
-        $this->info('Setting NEW version: '.$full_app_version.' ('.$git_branch.')');
+        info('New version: '.$full_app_version.' ('.$git_branch.')');
+
+        info('Building JS/CSS assets...');
+        passthru('npm run prod', $exitCode);
+
+        if ($exitCode !== 0) {
+            $this->error('Asset build failed with exit code '.$exitCode);
+        } else {
+            info('Assets built successfully.');
+        }
     }
 }

app/Enums/ActionType.php

@@ -31,6 +31,9 @@ enum ActionType: string
     case DeleteSeats = 'delete seats';
     case AddSeats = 'add seats';
 
+    // Maintenances
+    case MaintenanceComplete = 'completed';
+
     // File Uploads
     case Uploaded = 'uploaded';
     case UploadDeleted = 'upload deleted';

app/Exceptions/Handler.php

@@ -19,6 +19,8 @@ use Illuminate\Validation\ValidationException;
 use Intervention\Image\Exception\NotSupportedException;
 use JsonException;
 use League\OAuth2\Server\Exception\OAuthServerException;
+use Livewire\Exceptions\ComponentNotFoundException;
+use Livewire\Exceptions\PublicPropertyNotFoundException;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Throwable;
 
@@ -41,6 +43,8 @@ class Handler extends ExceptionHandler
         JsonException::class,
         SCIMException::class, // these generally don't need to be reported
         InvalidFormatException::class,
+        PublicPropertyNotFoundException::class,
+        ComponentNotFoundException::class,
     ];
 
     /**
@@ -71,6 +75,17 @@ class Handler extends ExceptionHandler
     public function render($request, Throwable $e)
     {
 
+        // Livewire tried to set a property that doesn't exist (e.g. stale browser state sending a bare "0" as a property name)
+        if ($e instanceof PublicPropertyNotFoundException) {
+            return response()->json(['message' => $e->getMessage()], 422);
+        }
+
+        // A request named a Livewire component that doesn't exist in this app (e.g. bots probing
+        // for Filament endpoints). Return 404 so it doesn't surface as a 500.
+        if ($e instanceof ComponentNotFoundException) {
+            return response()->json(['message' => 'Component not found.'], 404);
+        }
+
         // CSRF token mismatch error
         if ($e instanceof TokenMismatchException) {
             return redirect()->back()->with('error', trans('general.token_expired'));

app/Helpers/Helper.php

@@ -14,6 +14,7 @@ use App\Models\License;
 use App\Models\Location;
 use App\Models\Setting;
 use App\Models\Statuslabel;
+use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Http\RedirectResponse;
@@ -663,7 +664,7 @@ class Helper
      */
     public static function depreciationList()
     {
-        $depreciation_list = ['' => 'Do Not Depreciate'] + Depreciation::orderBy('name', 'asc')
+        $depreciation_list = ['' => trans('admin/licenses/form.no_depreciation')] + Depreciation::orderBy('name', 'asc')
             ->pluck('name', 'id')->toArray();
 
         return $depreciation_list;
@@ -1268,6 +1269,7 @@ class Helper
         $allowedExtensionMap = [
             // Images
             'jpg' => 'far fa-image',
+            'jfif' => 'far fa-image',
             'jpeg' => 'far fa-image',
             'gif' => 'far fa-image',
             'png' => 'far fa-image',
@@ -1596,7 +1598,17 @@ class Helper
         $checkout_to_type = session('checkout_to_type') ?? null;
         $checkedInFrom = session('checkedInFrom');
         $other_redirect = session('other_redirect');
-        $backUrl = session()->pull('url.intended', 'home');
+        $backUrl = str_replace(["\r", "\n"], '', session()->pull('url.intended', 'home'));
+
+        // Reject any stored back-URL that points off-site. redirect()->intended() performs
+        // no host validation, and url.intended can be written from the SAML RelayState POST
+        // parameter (SamlController), which an attacker-controlled IdP could set to an
+        // off-site URL.
+        $backHost = parse_url($backUrl, PHP_URL_HOST);
+        $appHost = parse_url(config('app.url'), PHP_URL_HOST);
+        if ($backHost && $backHost !== $appHost) {
+            $backUrl = route('home');
+        }
 
         // return to previous page
         if ($redirect_option == 'back') {
@@ -1689,6 +1701,8 @@ class Helper
             return [];
         }
 
+        $floater = (bool) Setting::getSettings()->null_company_is_floater;
+
         foreach ($locations as $location) {
             // in case of an update of a single location, use the newly requested company_id
             if ($new_company_id) {
@@ -1723,26 +1737,51 @@ class Helper
                 foreach ($keywords as $keyword) {
                     if ($relation == 'many') {
                         $items = $location->{$keyword}->all();
+                        // assignedAccessories returns AccessoryCheckout records (no company_id);
+                        // resolve each to its parent Accessory so the comparison is valid.
+                        if ($keyword === 'assignedAccessories') {
+                            $items = collect($items)->map(fn ($checkout) => $checkout->accessory)->filter()->values()->all();
+                        }
                     } else {
                         $items = collect([])->push($location->$keyword);
                     }
 
                     $count = 0;
                     foreach ($items as $item) {
+                        if (! $item) {
+                            continue;
+                        }
 
-                        if ($item && $item->company_id != $location_company) {
+                        // Users belong to companies via the many-to-many pivot (company_user).
+                        // canReceiveFromCompany() returns true only when the user's pivot
+                        // contains the location's company, so !canReceiveFromCompany() is
+                        // the correct mismatch signal.
+                        if ($item instanceof User) {
+                            $isMismatch = ! $item->canReceiveFromCompany((int) $location_company);
+                        } elseif ($item->company_id == $location_company) {
+                            $isMismatch = false;
+                        } elseif (is_null($item->company_id) || is_null($location_company)) {
+                            $isMismatch = ! $floater;
+                        } else {
+                            $isMismatch = true;
+                        }
+
+                        if ($isMismatch) {
+                            if ($item instanceof User) {
+                                $itemCompanyIds = $item->companies->pluck('id')->implode(', ');
+                                $itemCompanyNames = $item->companies->pluck('name')->implode(', ');
+                            } else {
+                                $itemCompanyIds = $item->company_id ?? null;
+                                $itemCompanyNames = $item->company->name ?? null;
+                            }
 
                             $mismatched[] = [
                                 class_basename(get_class($item)),
                                 $item->id,
                                 $item->name ?? $item->asset_tag ?? $item->serial ?? $item->username,
                                 $item->assigned_type ? str_replace('App\\Models\\', '', $item->assigned_type) : null,
-                                $item->company_id ?? null,
-                                $item->company->name ?? null,
-                                //                                    $item->defaultLoc->id ?? null,
-                                //                                    $item->defaultLoc->name ?? null,
-                                //                                    $item->defaultLoc->company->id ?? null,
-                                //                                    $item->defaultLoc->company->name ?? null,
+                                $itemCompanyIds,
+                                $itemCompanyNames,
                                 $item->location->name ?? null,
                                 $item->location->company->name ?? null,
                                 $location_company ?? null,
@@ -1856,4 +1895,43 @@ class Helper
         return 'App\\Models\\'.ucwords($model);
 
     }
+
+    /**
+     * Render a markdown-textarea value as HTML.
+     *
+     * Soft line breaks (single newlines) are rendered as <br> so that line
+     * breaks typed in the textarea are preserved in the output.
+     *
+     * When $inline is true, block-level elements are suppressed and hard
+     * breaks are pre-processed manually — used for the encrypted reveal span
+     * where block HTML cannot be placed inside a font-size-toggled <span>.
+     */
+    public static function renderMarkdown(?string $text, bool $inline = false): string
+    {
+        if (empty($text)) {
+            return '';
+        }
+
+        if ($inline) {
+            // Convert newlines to CommonMark hard breaks for inline rendering
+            $text = preg_replace('/(?<! {2})\n/', "  \n", $text);
+
+            return Str::inlineMarkdown($text, ['html_input' => 'escape', 'allow_unsafe_links' => false]);
+        }
+
+        $html = trim(Str::markdown($text, [
+            'html_input' => 'escape',
+            'allow_unsafe_links' => false,
+            'renderer' => ['soft_break' => "<br>\n"],
+        ]));
+
+        // If the entire output is a single <p> block, unwrap it so the content
+        // renders inline-ish without the <p> adding unwanted top spacing in the
+        // compact detail-view layout.
+        if (str_starts_with($html, '<p>') && str_ends_with($html, '</p>') && substr_count($html, '<p>') === 1) {
+            return substr($html, 3, -4);
+        }
+
+        return $html;
+    }
 }

app/Helpers/IconHelper.php

@@ -78,6 +78,7 @@ class IconHelper
             case 'angle-right':
                 return 'fas fa-angle-right';
             case 'warning':
+            case 'alert':
                 return 'fas fa-exclamation-triangle';
             case 'kits':
                 return 'fas fa-object-group';
@@ -126,6 +127,7 @@ class IconHelper
             case 'dashboard':
                 return 'fas fa-tachometer-alt';
             case 'info-circle':
+            case 'info':
                 return 'fas fa-info-circle';
             case 'caret-right':
                 return 'fa fa-caret-right';
@@ -156,6 +158,7 @@ class IconHelper
             case 'remote':
                 return 'fa-solid fa-house-laptop';
             case 'more-info':
+            case 'help':
             case 'support':
                 return 'far fa-life-ring';
             case 'plus':

app/Http/Controllers/Accessories/AccessoryCheckoutController.php

@@ -4,9 +4,9 @@ namespace App\Http\Controllers\Accessories;
 
 use App\Events\CheckoutableCheckedOut;
 use App\Helpers\Helper;
-use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AccessoryCheckoutRequest;
+use App\Http\Traits\CheckInOutTrait;
 use App\Models\Accessory;
 use App\Models\AccessoryCheckout;
 use App\Models\CheckoutAcceptance;
@@ -18,7 +18,7 @@ use Illuminate\Http\Request;
 
 class AccessoryCheckoutController extends Controller
 {
-    use CheckInOutRequest;
+    use CheckInOutTrait;
 
     /**
      * Return the form to checkout an Accessory to a user.
@@ -66,6 +66,20 @@ class AccessoryCheckoutController extends Controller
         $target = $this->determineCheckoutTarget();
         session()->put(['checkout_to_type' => $target]);
 
+        if (! $accessory->canCheckoutTo($target)) {
+            $targetType = match (class_basename($target)) {
+                'User' => trans('general.user'),
+                'Location' => trans('general.location'),
+                default => trans('general.asset'),
+            };
+
+            return redirect()->back()->with('error', trans('general.error_checkout_company_mismatch', [
+                'item' => trans('general.accessory').' "'.$accessory->name.'"',
+                'item_company' => $accessory->company?->name ?? trans('general.unassigned'),
+                'target' => $targetType.' "'.($target->name ?? $target->username ?? $target->id).'"',
+            ]));
+        }
+
         $accessory->checkout_qty = $request->input('checkout_qty', 1);
 
         for ($i = 0; $i < $accessory->checkout_qty; $i++) {

app/Http/Controllers/Account/AcceptanceController.php

@@ -149,6 +149,9 @@ class AcceptanceController extends Controller
 
         $item = $acceptance->checkoutable_type::find($acceptance->checkoutable_id);
 
+        $username_slug = Str::slug($assignedUser->username);
+        $asset_tag_slug = ($item instanceof Asset && $item->asset_tag) ? '-'.Str::slug($item->asset_tag) : '';
+
         // If signatures are required, make sure we have one
         if ($requiresSignature) {
 
@@ -208,9 +211,33 @@ class AcceptanceController extends Controller
             'qty' => $acceptance->qty ?? 1,
         ];
 
+        // Include asset custom fields that are explicitly allowed in outbound emails/PDFs.
+        if ($item instanceof Asset && $item->model && $item->model->fieldset) {
+            $customFields = [];
+            $fields = $item->model->fieldset->fields
+                ->where('show_in_email', true)
+                ->where('field_encrypted', false);
+
+            foreach ($fields as $field) {
+                $dbColumn = $field->db_column;
+                $value = $item->{$dbColumn};
+
+                if (! is_null($value) && $value !== '') {
+                    $customFields[] = [
+                        'label' => $field->name,
+                        'value' => $value,
+                    ];
+                }
+            }
+
+            if (! empty($customFields)) {
+                $data['custom_fields'] = $customFields;
+            }
+        }
+
         if ($request->input('asset_acceptance') === 'accepted') {
 
-            $pdf_filename = 'accepted-'.$acceptance->checkoutable_id.'-'.$acceptance->display_checkoutable_type.'-eula-'.date('Y-m-d-h-i-s').'.pdf';
+            $pdf_filename = 'accepted-'.$username_slug.$asset_tag_slug.'-'.date('Y-m-d-h-i-s').'.pdf';
 
             // Generate the PDF content
             $pdf_content = $acceptance->generateAcceptancePdf($data, $acceptance);

app/Http/Controllers/ActionlogController.php

@@ -4,7 +4,6 @@ namespace App\Http\Controllers;
 
 use App\Helpers\Helper;
 use App\Models\Actionlog;
-use App\Models\Asset;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Log;
@@ -17,6 +16,9 @@ class ActionlogController extends Controller
     {
         $filename = basename((string) $filename);
 
+        $actionlog = Actionlog::where('accept_signature', $filename)->with('item')->firstOrFail();
+        $this->authorize('view', $actionlog->item);
+
         // PHP doesn't let you handle file not found errors well with
         // file_get_contents, so we set the error reporting for just this class
         error_reporting(0);
@@ -29,7 +31,6 @@ class ActionlogController extends Controller
 
                 return redirect()->away(Storage::disk($disk)->temporaryUrl($file, now()->addMinutes(5)));
             default:
-                $this->authorize('view', Asset::class);
                 $file = config('app.private_uploads').'/signatures/'.$filename;
                 $filetype = Helper::checkUploadIsImage($file);
 

app/Http/Controllers/Api/AccessoriesController.php

@@ -4,25 +4,28 @@ namespace App\Http\Controllers\Api;
 
 use App\Events\CheckoutableCheckedOut;
 use App\Helpers\Helper;
-use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AccessoryCheckoutRequest;
 use App\Http\Requests\ImageUploadRequest;
 use App\Http\Requests\StoreAccessoryRequest;
+use App\Http\Traits\CheckInOutTrait;
 use App\Http\Transformers\AccessoriesTransformer;
 use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\SelectlistTransformer;
 use App\Models\Accessory;
 use App\Models\AccessoryCheckout;
+use App\Models\Company;
+use App\Models\Setting;
 use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
+use Illuminate\Support\Facades\DB;
 
 class AccessoriesController extends Controller
 {
-    use CheckInOutRequest;
+    use CheckInOutTrait;
 
     /**
      * Display a listing of the resource.
@@ -84,27 +87,27 @@ class AccessoriesController extends Controller
         }
 
         if ($request->filled('category_id')) {
-            $accessories->where('category_id', '=', $request->input('category_id'));
+            $accessories->where('accessories.category_id', '=', $request->input('category_id'));
         }
 
         if ($request->filled('manufacturer_id')) {
-            $accessories->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $accessories->where('accessories.manufacturer_id', '=', $request->input('manufacturer_id'));
         }
 
         if ($request->filled('supplier_id')) {
-            $accessories->where('supplier_id', '=', $request->input('supplier_id'));
+            $accessories->where('accessories.supplier_id', '=', $request->input('supplier_id'));
         }
 
         if ($request->filled('location_id')) {
-            $accessories->where('location_id', '=', $request->input('location_id'));
+            $accessories->where('accessories.location_id', '=', $request->input('location_id'));
         }
 
         if ($request->filled('notes')) {
-            $accessories->where('notes', '=', $request->input('notes'));
+            $accessories->where('accessories.notes', '=', $request->input('notes'));
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
-        $offset = ($request->input('offset') > $accessories->count()) ? $accessories->count() : abs($request->input('offset'));
+        $offset = ($request->input('offset') > $accessories->count()) ? $accessories->count() : app('api_offset_value');
         $limit = app('api_limit_value');
 
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
@@ -155,6 +158,7 @@ class AccessoriesController extends Controller
     {
         $accessory = new Accessory;
         $accessory->fill($request->all());
+        $accessory->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $accessory = $request->handleImages($accessory);
 
         if ($accessory->save()) {
@@ -230,6 +234,10 @@ class AccessoriesController extends Controller
         $total = $accessory_checkouts->count();
         $accessory_checkouts = $accessory_checkouts->skip($offset)->take($limit)->get();
 
+        $accessory_checkouts->loadMorph('assignedTo', [
+            User::class => ['companies'],
+        ]);
+
         return (new AccessoriesTransformer)->transformCheckedoutAccessory($accessory_checkouts, $total);
     }
 
@@ -248,6 +256,7 @@ class AccessoriesController extends Controller
         $this->authorize('update', Accessory::class);
         $accessory = Accessory::findOrFail($id);
         $accessory->fill($request->all());
+        $accessory->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $accessory = $request->handleImages($accessory);
 
         if ($accessory->save()) {
@@ -297,40 +306,49 @@ class AccessoriesController extends Controller
     {
         $this->authorize('checkout', $accessory);
         $target = $this->determineCheckoutTarget();
-        $accessory->checkout_qty = $request->input('checkout_qty', 1);
 
-        for ($i = 0; $i < $accessory->checkout_qty; $i++) {
-
-            $accessory_checkout = new AccessoryCheckout([
-                'accessory_id' => $accessory->id,
-                'created_at' => Carbon::now(),
-                'assigned_to' => $target->id,
-                'assigned_type' => $target::class,
-                'note' => $request->input('note'),
-            ]);
-
-            $accessory_checkout->created_by = auth()->id();
-            $accessory_checkout->save();
-
-            $payload = [
-                'accessory_id' => $accessory->id,
-                'assigned_to' => $target->id,
-                'assigned_type' => $target::class,
-                'note' => $request->input('note'),
-                'created_by' => auth()->id(),
-                'pivot' => $accessory_checkout->id,
-            ];
+        if ((Setting::getSettings()->full_multiple_companies_support == '1') && (! $target->companies()->where('companies.id', $accessory->company_id)->exists())) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
         }
 
-        // Set this value to be able to pass the qty through to the event
-        event(new CheckoutableCheckedOut(
-            $accessory,
-            $target,
-            auth()->user(),
-            $request->input('note'),
-            [],
-            $accessory->checkout_qty,
-        ));
+        $accessory->checkout_qty = $request->input('checkout_qty', 1);
+        $payload = null;
+
+        // Keep checkout rows and checkout log/event atomic to avoid ghost assignments.
+        DB::transaction(function () use ($accessory, $request, $target, &$payload): void {
+            for ($i = 0; $i < $accessory->checkout_qty; $i++) {
+
+                $accessory_checkout = new AccessoryCheckout([
+                    'accessory_id' => $accessory->id,
+                    'created_at' => Carbon::now(),
+                    'assigned_to' => $target->id,
+                    'assigned_type' => $target::class,
+                    'note' => $request->input('note'),
+                ]);
+
+                $accessory_checkout->created_by = auth()->id();
+                $accessory_checkout->save();
+
+                $payload = [
+                    'accessory_id' => $accessory->id,
+                    'assigned_to' => $target->id,
+                    'assigned_type' => $target::class,
+                    'note' => $request->input('note'),
+                    'created_by' => auth()->id(),
+                    'pivot' => $accessory_checkout->id,
+                ];
+            }
+
+            // Set this value to be able to pass the qty through to the event.
+            event(new CheckoutableCheckedOut(
+                $accessory,
+                $target,
+                auth()->user(),
+                $request->input('note'),
+                [],
+                $accessory->checkout_qty,
+            ));
+        });
 
         return response()->json(Helper::formatStandardApiResponse('success', $payload, trans('admin/accessories/message.checkout.success')));
 
@@ -387,6 +405,7 @@ class AccessoriesController extends Controller
      */
     public function selectlist(Request $request)
     {
+        $this->authorize('view.selectlists');
 
         $accessories = Accessory::select([
             'accessories.id',

app/Http/Controllers/Api/AssetModelsController.php

@@ -133,7 +133,8 @@ class AssetModelsController extends Controller
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
-        $offset = ($request->input('offset') > $assetmodels->count()) ? $assetmodels->count() : abs($request->input('offset'));
+        $total = $assetmodels->count();
+        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
         $limit = app('api_limit_value');
 
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
@@ -157,7 +158,6 @@ class AssetModelsController extends Controller
                 break;
         }
 
-        $total = $assetmodels->count();
         $assetmodels = $assetmodels->skip($offset)->take($limit)->get();
 
         return (new AssetModelsTransformer)->transformAssetModels($assetmodels, $total);

app/Http/Controllers/Api/AssetsController.php

@@ -371,6 +371,12 @@ class AssetsController extends Controller
             $assets->where('assets.order_number', '=', strval($request->input('order_number')));
         }
 
+        foreach ($all_custom_fields as $field) {
+            if ($request->filled($field->db_column_name())) {
+                $assets->where($field->db_column_name(), '=', $request->input($field->db_column_name()));
+            }
+        }
+
         // This is kinda gross, but we need to do this because the Bootstrap Tables
         // API passes custom field ordering as custom_fields.fieldname, and we have to strip
         // that out to let the default sorter below order them correctly on the assets table.
@@ -590,6 +596,7 @@ class AssetsController extends Controller
      */
     public function selectlist(Request $request): array
     {
+        $this->authorize('view.selectlists');
 
         $assets = Asset::select([
             'assets.id',
@@ -602,8 +609,20 @@ class AssetsController extends Controller
         ])->with('model', 'status', 'assignedTo')
             ->NotArchived();
 
-        if ((Setting::getSettings()->full_multiple_companies_support == '1') && ($request->filled('companyId'))) {
-            $assets->where('assets.company_id', $request->input('companyId'));
+        // When FMCS is enabled, automatically scope to companies the acting user belongs to.
+        // scopeCompanyables is a no-op for superusers and when FMCS is disabled.
+        $assets = Company::scopeCompanyables($assets);
+
+        // Allow further narrowing to a specific company passed via data-company-id on the select.
+        if ((Setting::getSettings()->full_multiple_companies_support == '1') && $request->filled('companyId')) {
+            $companyIds = array_values(array_filter(array_map('intval', explode(',', $request->input('companyId')))));
+            if (! empty($companyIds)) {
+                $assets->whereIn('assets.company_id', $companyIds);
+            }
+        }
+
+        if ($request->filled('excludeId')) {
+            $assets->where('assets.id', '!=', (int) $request->input('excludeId'));
         }
 
         if ($request->filled('statusType') && $request->input('statusType') === 'RTD') {
@@ -706,18 +725,35 @@ class AssetsController extends Controller
             }
         }
 
-        if ($asset->save()) {
-            if ($request->input('assigned_user')) {
-                $target = User::find(request('assigned_user'));
-            } elseif ($request->input('assigned_asset')) {
-                $target = Asset::find(request('assigned_asset'));
-            } elseif ($request->input('assigned_location')) {
-                $target = Location::find(request('assigned_location'));
+        $target = $this->resolveCheckoutTargetForAssetMutation($request);
+        $requestedCheckout = $request->filled('assigned_user') || $request->filled('assigned_asset') || $request->filled('assigned_location');
+
+        if ($requestedCheckout && (! $target)) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/hardware/message.does_not_exist')));
+        }
+
+        if ($requestedCheckout) {
+            $companyMismatchResponse = $this->checkoutCompanyMismatchResponse($asset, $target);
+            if ($companyMismatchResponse) {
+                return $companyMismatchResponse;
             }
-            if (isset($target)) {
-                $asset->checkOut($target, auth()->user(), date('Y-m-d H:i:s'), '', 'Checked out on asset creation', e($request->input('name')));
+        }
+
+        $stored = DB::transaction(function () use ($asset, $request, $target, $requestedCheckout): bool {
+            if (! $asset->save()) {
+                return false;
             }
 
+            if ($requestedCheckout) {
+                // Keep create + optional checkout side effects atomic.
+                return $asset->checkOut($target, auth()->user(), date('Y-m-d H:i:s'), '', 'Checked out on asset creation', e($request->input('name')));
+            }
+
+            return true;
+        });
+
+        if ($stored) {
+
             if ($asset->image) {
                 $asset->image = $asset->getImageUrl();
             }
@@ -792,25 +828,54 @@ class AssetsController extends Controller
                 }
             }
         }
-        if ($asset->save()) {
-            if (($request->filled('assigned_user')) && ($target = User::find($request->input('assigned_user')))) {
-                $location = $target->location_id;
-            } elseif (($request->filled('assigned_asset')) && ($target = Asset::find($request->input('assigned_asset')))) {
-                $location = $target->location_id;
+        $target = $this->resolveCheckoutTargetForAssetMutation($request, $asset->id);
+        $requestedCheckout = $request->filled('assigned_user') || $request->filled('assigned_asset') || $request->filled('assigned_location');
 
-                Asset::where('assigned_type', Asset::class)->where('assigned_to', $asset->id)
-                    ->update(['location_id' => $target->location_id]);
-            } elseif (($request->filled('assigned_location')) && ($target = Location::find($request->input('assigned_location')))) {
-                $location = $target->id;
+        if ($requestedCheckout && (! $target)) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/hardware/message.does_not_exist')));
+        }
+
+        if ($requestedCheckout) {
+            $companyMismatchResponse = $this->checkoutCompanyMismatchResponse($asset, $target);
+            if ($companyMismatchResponse) {
+                return $companyMismatchResponse;
+            }
+        }
+
+        $updated = DB::transaction(function () use ($asset, $request, $target, $requestedCheckout): bool {
+            if (! $asset->save()) {
+                return false;
             }
 
-            if (isset($target)) {
+            if ($requestedCheckout) {
                 // Using `->has` preserves the asset name if the name parameter was not included in request.
                 $asset_name = request()->has('name') ? request('name') : $asset->name;
 
-                $asset->checkOut($target, auth()->user(), date('Y-m-d H:i:s'), '', 'Checked out on asset update', $asset_name, $location);
+                $location = null;
+                if ($request->filled('assigned_user')) {
+                    $location = $target->location_id;
+                } elseif ($request->filled('assigned_asset')) {
+                    $location = $target->location_id;
+                } elseif ($request->filled('assigned_location')) {
+                    $location = $target->id;
+                }
+
+                // Keep update + optional checkout side effects atomic.
+                if (! $asset->checkOut($target, auth()->user(), date('Y-m-d H:i:s'), '', 'Checked out on asset update', $asset_name, $location)) {
+                    return false;
+                }
+
+                if ($request->filled('assigned_asset')) {
+                    Asset::where('assigned_type', Asset::class)->where('assigned_to', $asset->id)
+                        ->update(['location_id' => $target->location_id]);
+                }
             }
 
+            return true;
+        });
+
+        if ($updated) {
+
             if ($asset->image) {
                 $asset->image = $asset->getImageUrl();
             }
@@ -829,6 +894,32 @@ class AssetsController extends Controller
         return response()->json(Helper::formatStandardApiResponse('error', null, $asset->getErrors()), 200);
     }
 
+    private function resolveCheckoutTargetForAssetMutation(Request $request, ?int $assetId = null): User|Asset|Location|null
+    {
+        if ($request->filled('assigned_user')) {
+            return User::withoutGlobalScopes()->find($request->input('assigned_user'));
+        }
+
+        if ($request->filled('assigned_asset')) {
+            return Asset::withoutGlobalScopes()->where('id', '!=', $assetId)->find($request->input('assigned_asset'));
+        }
+
+        if ($request->filled('assigned_location')) {
+            return Location::withoutGlobalScopes()->find($request->input('assigned_location'));
+        }
+
+        return null;
+    }
+
+    private function checkoutCompanyMismatchResponse(Asset $asset, User|Asset|Location $target): ?JsonResponse
+    {
+        if (! $asset->canCheckoutTo($target)) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+        }
+
+        return null;
+    }
+
     /**
      * Delete a given asset (mark as deleted).
      *
@@ -905,6 +996,7 @@ class AssetsController extends Controller
      */
     public function checkoutByTag(AssetCheckoutRequest $request, $tag): JsonResponse
     {
+        // Use the same hardened checkout path as ID-based checkout.
         if ($asset = Asset::where('asset_tag', $tag)->first()) {
             return $this->checkout($request, $asset->id);
         }
@@ -940,19 +1032,22 @@ class AssetsController extends Controller
 
         // This item is checked out to a location
         if (request('checkout_to_type') == 'location') {
-            $target = Location::find(request('assigned_location'));
+            // Resolve unscoped target first so FMCS mismatch can be handled explicitly.
+            $target = Location::withoutGlobalScopes()->find(request('assigned_location'));
             $asset->location_id = ($target) ? $target->id : '';
             $error_payload['target_id'] = $request->input('assigned_location');
             $error_payload['target_type'] = 'location';
         } elseif (request('checkout_to_type') == 'asset') {
-            $target = Asset::where('id', '!=', $asset_id)->find(request('assigned_asset'));
+            // Resolve unscoped target first so FMCS mismatch can be handled explicitly.
+            $target = Asset::withoutGlobalScopes()->where('id', '!=', $asset_id)->find(request('assigned_asset'));
             // Override with the asset's location_id if it has one
             $asset->location_id = (($target) && (isset($target->location_id))) ? $target->location_id : '';
             $error_payload['target_id'] = $request->input('assigned_asset');
             $error_payload['target_type'] = 'asset';
         } elseif (request('checkout_to_type') == 'user') {
             // Fetch the target and set the asset's new location_id
-            $target = User::find(request('assigned_user'));
+            // Resolve unscoped target first so FMCS mismatch can be handled explicitly.
+            $target = User::withoutGlobalScopes()->find(request('assigned_user'));
             $asset->location_id = (($target) && (isset($target->location_id))) ? $target->location_id : '';
             $error_payload['target_id'] = $request->input('assigned_user');
             $error_payload['target_type'] = 'user';
@@ -971,6 +1066,11 @@ class AssetsController extends Controller
             return response()->json(Helper::formatStandardApiResponse('error', $error_payload, 'Checkout target for asset '.e($asset->asset_tag).' is invalid - '.$error_payload['target_type'].' does not exist.'));
         }
 
+        // In FMCS mode, enforce explicit same-company target checks before mutating checkout state.
+        if ($mismatch = $this->checkoutCompanyMismatchResponse($asset, $target)) {
+            return $mismatch;
+        }
+
         $checkout_at = request('checkout_at', date('Y-m-d H:i:s'));
         $expected_checkin = request('expected_checkin', null);
         $note = request('note', null);
@@ -985,7 +1085,12 @@ class AssetsController extends Controller
         //            $asset->location_id = $target->rtd_location_id;
         //        }
 
-        if ($asset->checkOut($target, auth()->user(), $checkout_at, $expected_checkin, $note, $asset_name, $asset->location_id)) {
+        // Keep checkout mutation + checkout logging/event side effects atomic.
+        $wasCheckedOut = DB::transaction(function () use ($asset, $target, $checkout_at, $expected_checkin, $note, $asset_name): bool {
+            return $asset->checkOut($target, auth()->user(), $checkout_at, $expected_checkin, $note, $asset_name, $asset->location_id);
+        });
+
+        if ($wasCheckedOut) {
             return response()->json(Helper::formatStandardApiResponse('success', ['asset' => e($asset->asset_tag)], trans('admin/hardware/message.checkout.success')));
         }
 
@@ -1021,7 +1126,9 @@ class AssetsController extends Controller
         $asset->assignedTo()->disassociate($asset);
         $asset->accepted = null;
 
-        if ($request->has('name')) {
+        if ($request->input('clear_name') == '1') {
+            $asset->name = null;
+        } elseif ($request->has('name')) {
             $asset->name = $request->input('name');
         }
 
@@ -1067,6 +1174,12 @@ class AssetsController extends Controller
             });
 
         if ($asset->save()) {
+
+            // Update the location of any child assets
+            Asset::where('assigned_type', Asset::class)
+                ->where('assigned_to', $asset->id)
+                ->update(['location_id' => $asset->location_id]);
+
             event(new CheckoutableCheckedIn($asset, $target, auth()->user(), $request->input('note'), $checkin_at, $originalValues));
 
             return response()->json(Helper::formatStandardApiResponse('success', [
@@ -1158,6 +1271,10 @@ class AssetsController extends Controller
 
             $asset->last_audit_date = date('Y-m-d H:i:s');
 
+            if ($request->input('clear_name') == '1') {
+                $asset->name = null;
+            }
+
             // Set up the payload for re-display in the API response
             $payload = [
                 'id' => $asset->id,
@@ -1444,7 +1561,7 @@ class AssetsController extends Controller
                 $label = new Label;
 
                 if (! $label) {
-                    throw new \Exception('Label object could not be created');
+                    throw new \Exception(trans('admin/labels/message.label_not_created'));
                 }
 
                 // Configure label with assets and settings
@@ -1465,7 +1582,7 @@ class AssetsController extends Controller
 
                 // Verify PDF was generated successfully
                 if (empty($pdf_content)) {
-                    throw new \Exception('PDF content is empty');
+                    throw new \Exception(trans('admin/labels/message.use_new_label_engine_for_api'));
                 }
 
                 $encoded_content = base64_encode($pdf_content);

app/Http/Controllers/Api/CompaniesController.php

@@ -9,6 +9,7 @@ use App\Http\Requests\ImageUploadRequest;
 use App\Http\Transformers\CompaniesTransformer;
 use App\Http\Transformers\SelectlistTransformer;
 use App\Models\Company;
+use App\Models\Setting;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Storage;
@@ -206,6 +207,16 @@ class CompaniesController extends Controller
             'companies.tag_color',
         ]);
 
+        // When FMCS is enabled and the user is not a superuser, restrict the list to
+        // companies they belong to (primary company_id + pivot companies). This lets
+        // non-superusers select a company from their own set when creating assets, etc.
+        if (Setting::getSettings()->full_multiple_companies_support == '1' && ! auth()->user()->isSuperUser()) {
+            $userCompanyIds = auth()->user()->allCompanies()->pluck('id');
+            if ($userCompanyIds->isNotEmpty()) {
+                $companies->whereIn('companies.id', $userCompanyIds);
+            }
+        }
+
         if ($request->filled('search')) {
             $companies = $companies->where('companies.name', 'LIKE', '%'.$request->input('search').'%');
         }

app/Http/Controllers/Api/ComponentsController.php

@@ -9,8 +9,9 @@ use App\Http\Requests\ImageUploadRequest;
 use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\ComponentsTransformer;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Component;
-use App\Models\ComponentAssignment;
+use App\Models\Setting;
 use Carbon\Carbon;
 use Illuminate\Database\Query\Builder;
 use Illuminate\Http\JsonResponse;
@@ -80,7 +81,7 @@ class ComponentsController extends Controller
         }
 
         if ($request->filled('name')) {
-            $components->where('name', '=', $request->input('name'));
+            $components->where('components.name', '=', $request->input('name'));
         }
 
         if ($request->filled('company_id')) {
@@ -92,27 +93,27 @@ class ComponentsController extends Controller
         }
 
         if ($request->filled('category_id')) {
-            $components->where('category_id', '=', $request->input('category_id'));
+            $components->where('components.category_id', '=', $request->input('category_id'));
         }
 
         if ($request->filled('supplier_id')) {
-            $components->where('supplier_id', '=', $request->input('supplier_id'));
+            $components->where('components.supplier_id', '=', $request->input('supplier_id'));
         }
 
         if ($request->filled('manufacturer_id')) {
-            $components->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $components->where('components.manufacturer_id', '=', $request->input('manufacturer_id'));
         }
 
         if ($request->filled('model_number')) {
-            $components->where('model_number', '=', $request->input('model_number'));
+            $components->where('components.model_number', '=', $request->input('model_number'));
         }
 
         if ($request->filled('location_id')) {
-            $components->where('location_id', '=', $request->input('location_id'));
+            $components->where('components.location_id', '=', $request->input('location_id'));
         }
 
         if ($request->filled('notes')) {
-            $components->where('notes', '=', $request->input('notes'));
+            $components->where('components.notes', '=', $request->input('notes'));
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -166,6 +167,7 @@ class ComponentsController extends Controller
         $this->authorize('create', Component::class);
         $component = new Component;
         $component->fill($request->all());
+        $component->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $component = $request->handleImages($component);
 
         if ($component->save()) {
@@ -206,6 +208,7 @@ class ComponentsController extends Controller
         $this->authorize('update', Component::class);
         $component = Component::findOrFail($id);
         $component->fill($request->all());
+        $component->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $component = $request->handleImages($component);
 
         if ($component->save()) {
@@ -252,13 +255,11 @@ class ComponentsController extends Controller
     {
         $this->authorize('view', Asset::class);
 
-        $component_checkouts = ComponentAssignment::where('component_id', $component->id)->with('adminuser')->with('assets');
-
         $offset = request('offset', 0);
         $limit = $request->input('limit', 50);
 
         if ($request->filled('search')) {
-            $assets = $component_checkouts->assets()
+            $assets = $component->assets()
                 ->where(function ($query) use ($request) {
                     $search_str = '%'.$request->input('search').'%';
                     $query->where('name', 'like', $search_str)
@@ -314,20 +315,33 @@ class ComponentsController extends Controller
         }
 
         if ($component->numRemaining() >= $request->input('assigned_qty')) {
+            // Resolve the raw target first, then enforce FMCS explicitly.
+            // Scoped lookup can hide cross-company records and lead to partial writes.
+            $asset = Asset::withoutGlobalScopes()->find($request->input('assigned_to'));
 
-            $asset = Asset::find($request->input('assigned_to'));
-            $component->assigned_to = $request->input('assigned_to');
+            if (! $asset) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/hardware/message.does_not_exist')));
+            }
 
-            $component->assets()->attach($component->id, [
-                'component_id' => $component->id,
-                'created_at' => Carbon::now(),
-                'assigned_qty' => $request->input('assigned_qty', 1),
-                'created_by' => auth()->id(),
-                'asset_id' => $request->input('assigned_to'),
-                'note' => $request->input('note'),
-            ]);
+            if ((Setting::getSettings()->full_multiple_companies_support == '1') && ($component->company_id !== $asset->company_id)) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+            }
 
-            $component->logCheckout($request->input('note'), $asset, null, [], $request->get('assigned_qty', 1));
+            // Keep pivot + action log in one transaction so checkout is all-or-nothing.
+            DB::transaction(function () use ($component, $request, $asset): void {
+                $component->assigned_to = $request->input('assigned_to');
+
+                $component->assets()->attach($component->id, [
+                    'component_id' => $component->id,
+                    'created_at' => Carbon::now(),
+                    'assigned_qty' => $request->input('assigned_qty', 1),
+                    'created_by' => auth()->id(),
+                    'asset_id' => $request->input('assigned_to'),
+                    'note' => $request->input('note'),
+                ]);
+
+                $component->logCheckout($request->input('note'), $asset, null, [], $request->get('assigned_qty', 1));
+            });
 
             return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/components/message.checkout.success')));
         }

app/Http/Controllers/Api/ConsumablesController.php

@@ -13,9 +13,11 @@ use App\Http\Transformers\ConsumablesTransformer;
 use App\Http\Transformers\SelectlistTransformer;
 use App\Models\Company;
 use App\Models\Consumable;
+use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
 
 class ConsumablesController extends Controller
 {
@@ -67,7 +69,7 @@ class ConsumablesController extends Controller
         }
 
         if ($request->filled('name')) {
-            $consumables->where('name', '=', $request->input('name'));
+            $consumables->where('consumables.name', '=', $request->input('name'));
         }
 
         if ($request->filled('company_id')) {
@@ -79,27 +81,27 @@ class ConsumablesController extends Controller
         }
 
         if ($request->filled('category_id')) {
-            $consumables->where('category_id', '=', $request->input('category_id'));
+            $consumables->where('consumables.category_id', '=', $request->input('category_id'));
         }
 
         if ($request->filled('model_number')) {
-            $consumables->where('model_number', '=', $request->input('model_number'));
+            $consumables->where('consumables.model_number', '=', $request->input('model_number'));
         }
 
         if ($request->filled('manufacturer_id')) {
-            $consumables->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $consumables->where('consumables.manufacturer_id', '=', $request->input('manufacturer_id'));
         }
 
         if ($request->filled('supplier_id')) {
-            $consumables->where('supplier_id', '=', $request->input('supplier_id'));
+            $consumables->where('consumables.supplier_id', '=', $request->input('supplier_id'));
         }
 
         if ($request->filled('location_id')) {
-            $consumables->where('location_id', '=', $request->input('location_id'));
+            $consumables->where('consumables.location_id', '=', $request->input('location_id'));
         }
 
         if ($request->filled('notes')) {
-            $consumables->where('notes', '=', $request->input('notes'));
+            $consumables->where('consumables.notes', '=', $request->input('notes'));
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -155,6 +157,7 @@ class ConsumablesController extends Controller
         $this->authorize('create', Consumable::class);
         $consumable = new Consumable;
         $consumable->fill($request->all());
+        $consumable->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $consumable = $request->handleImages($consumable);
 
         if ($consumable->save()) {
@@ -194,6 +197,7 @@ class ConsumablesController extends Controller
         $this->authorize('update', Consumable::class);
         $consumable = Consumable::findOrFail($id);
         $consumable->fill($request->all());
+        $consumable->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $consumable = $request->handleImages($consumable);
 
         if ($consumable->save()) {
@@ -304,34 +308,42 @@ class ConsumablesController extends Controller
             return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/consumables/message.checkout.unavailable', ['requested' => $consumable->checkout_qty, 'remaining' => $consumable->numRemaining()])));
         }
 
-        // Check if the user exists - @TODO:  this should probably be handled via validation, not here??
-        if (! $user = User::find($request->input('assigned_to'))) {
+        // Resolve the raw target first, then enforce FMCS explicitly.
+        // Scoped lookup can hide cross-company users and make failures ambiguous.
+        if (! $user = User::withoutGlobalScopes()->find($request->input('assigned_to'))) {
             // Return error message
             return response()->json(Helper::formatStandardApiResponse('error', null, 'No user found'));
         }
 
+        if ((Setting::getSettings()->full_multiple_companies_support == '1') && (! $user->companies()->where('companies.id', $consumable->company_id)->exists())) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+        }
+
         // Update the consumable data
         $consumable->assigned_to = $request->input('assigned_to');
 
-        for ($i = 0; $i < $consumable->checkout_qty; $i++) {
-            $consumable->users()->attach($consumable->id,
-                [
-                    'consumable_id' => $consumable->id,
-                    'created_by' => $user->id,
-                    'assigned_to' => $request->input('assigned_to'),
-                    'note' => $request->input('note'),
-                ]
-            );
-        }
+        // Keep pivot writes and checkout log/event atomic to avoid partial checkout state.
+        DB::transaction(function () use ($consumable, $request, $user): void {
+            for ($i = 0; $i < $consumable->checkout_qty; $i++) {
+                $consumable->users()->attach($consumable->id,
+                    [
+                        'consumable_id' => $consumable->id,
+                        'created_by' => $user->id,
+                        'assigned_to' => $request->input('assigned_to'),
+                        'note' => $request->input('note'),
+                    ]
+                );
+            }
 
-        event(new CheckoutableCheckedOut(
-            $consumable,
-            $user,
-            auth()->user(),
-            $request->input('note'),
-            [],
-            $consumable->checkout_qty,
-        ));
+            event(new CheckoutableCheckedOut(
+                $consumable,
+                $user,
+                auth()->user(),
+                $request->input('note'),
+                [],
+                $consumable->checkout_qty,
+            ));
+        });
 
         return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/consumables/message.checkout.success')));
 
@@ -344,6 +356,8 @@ class ConsumablesController extends Controller
      */
     public function selectlist(Request $request): array
     {
+        $this->authorize('view.selectlists');
+
         $consumables = Consumable::select([
             'consumables.id',
             'consumables.name',

app/Http/Controllers/Api/DepartmentsController.php

@@ -9,6 +9,7 @@ use App\Http\Requests\ImageUploadRequest;
 use App\Http\Requests\StoreDepartmentRequest;
 use App\Http\Transformers\DepartmentsTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\Company;
 use App\Models\Department;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -50,23 +51,23 @@ class DepartmentsController extends Controller
         }
 
         if ($request->filled('name')) {
-            $departments->where('name', '=', $request->input('name'));
+            $departments->where('departments.name', '=', $request->input('name'));
         }
 
         if ($request->filled('company_id')) {
-            $departments->where('company_id', '=', $request->input('company_id'));
+            $departments->where('departments.company_id', '=', $request->input('company_id'));
         }
 
         if ($request->filled('manager_id')) {
-            $departments->where('manager_id', '=', $request->input('manager_id'));
+            $departments->where('departments.manager_id', '=', $request->input('manager_id'));
         }
 
         if ($request->filled('location_id')) {
-            $departments->where('location_id', '=', $request->input('location_id'));
+            $departments->where('departments.location_id', '=', $request->input('location_id'));
         }
 
         if ($request->filled('tag_color')) {
-            $departments->where('tag_color', '=', $request->input('departments.tag_color'));
+            $departments->where('departments.tag_color', '=', $request->input('tag_color'));
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -111,6 +112,7 @@ class DepartmentsController extends Controller
     {
         $department = new Department;
         $department->fill($request->validated());
+        $department->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $department = $request->handleImages($department);
 
         $department->created_by = auth()->id();
@@ -155,6 +157,7 @@ class DepartmentsController extends Controller
         $this->authorize('update', Department::class);
         $department = Department::findOrFail($id);
         $department->fill($request->all());
+        $department->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $department = $request->handleImages($department);
 
         if ($department->save()) {

app/Http/Controllers/Api/LicenseSeatsController.php

@@ -8,9 +8,11 @@ use App\Http\Transformers\LicenseSeatsTransformer;
 use App\Models\Asset;
 use App\Models\License;
 use App\Models\LicenseSeat;
+use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
 
 class LicenseSeatsController extends Controller
 {
@@ -25,7 +27,7 @@ class LicenseSeatsController extends Controller
         if ($license = License::find($licenseId)) {
             $this->authorize('view', $license);
 
-            $seats = LicenseSeat::with('license', 'user', 'asset', 'user.department', 'user.company', 'asset.company')
+            $seats = LicenseSeat::with('license', 'user', 'asset', 'user.department', 'user.companies', 'asset.company')
                 ->where('license_seats.license_id', $licenseId);
 
             if ($request->input('status') == 'available') {
@@ -106,7 +108,8 @@ class LicenseSeatsController extends Controller
                 'prohibits:asset_id',
                 // must be a valid user or null to unassign
                 function ($attribute, $value, $fail) {
-                    if (! is_null($value) && ! User::where('id', $value)->whereNull('deleted_at')->exists()) {
+                    // Validate existence without company scopes; FMCS checks happen explicitly below.
+                    if (! is_null($value) && ! User::withoutGlobalScopes()->where('id', $value)->whereNull('deleted_at')->exists()) {
                         $fail('The selected assigned_to is invalid.');
                     }
                 },
@@ -118,7 +121,8 @@ class LicenseSeatsController extends Controller
                 'prohibits:assigned_to',
                 // must be a valid asset or null to unassign
                 function ($attribute, $value, $fail) {
-                    if (! is_null($value) && ! Asset::where('id', $value)->whereNull('deleted_at')->exists()) {
+                    // Validate existence without company scopes; FMCS checks happen explicitly below.
+                    if (! is_null($value) && ! Asset::withoutGlobalScopes()->where('id', $value)->whereNull('deleted_at')->exists()) {
                         $fail('The selected asset_id is invalid.');
                     }
                 },
@@ -128,77 +132,141 @@ class LicenseSeatsController extends Controller
 
         $this->authorize('checkout', License::class);
 
-        $licenseSeat = LicenseSeat::with(['license', 'asset', 'user'])->find($seatId);
+        $errorResponse = null;
+        $updatedSeat = null;
 
-        if (! $licenseSeat) {
-            return response()->json(Helper::formatStandardApiResponse('error', null, 'Seat not found'));
-        }
+        // Fetch the seat with a pessimistic lock inside a transaction so concurrent requests
+        // on the same seat serialise rather than racing to overwrite each other's assignment.
+        DB::transaction(function () use ($request, $licenseId, $seatId, $validated, &$errorResponse, &$updatedSeat): void {
+            $licenseSeat = LicenseSeat::with(['license', 'asset', 'user'])
+                ->lockForUpdate()
+                ->find($seatId);
 
-        $license = $licenseSeat->license;
-        if (! $license || $license->id != intval($licenseId)) {
-            return response()->json(Helper::formatStandardApiResponse('error', null, 'Seat does not belong to the specified license'));
-        }
+            if (! $licenseSeat) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, 'Seat not found'));
 
-        $oldUser = $licenseSeat->user;
-        $oldAsset = $licenseSeat->asset;
-
-        // attempt to update the license seat
-        $licenseSeat->fill($validated);
-
-        // check if this update is a checkin operation
-        // 1. are relevant fields touched at all?
-        $assignmentTouched = $licenseSeat->isDirty('assigned_to') || $licenseSeat->isDirty('asset_id');
-        $anythingTouched = $licenseSeat->isDirty();
-
-        if (! $anythingTouched) {
-            return response()->json(
-                Helper::formatStandardApiResponse('success', $licenseSeat, trans('admin/licenses/message.update.success'))
-            );
-        }
-        if ($assignmentTouched && $licenseSeat->unreassignable_seat) {
-            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkout.unavailable')));
-        }
-
-        // 2. are they cleared? if yes then this is a checkin operation
-        $is_checkin = ($assignmentTouched && $licenseSeat->assigned_to === null && $licenseSeat->asset_id === null);
-        $target = null;
-
-        // the logging functions expect only one "target". if both asset and user are present in the request,
-        // we simply let assets take precedence over users...
-        if ($licenseSeat->isDirty('assigned_to')) {
-            $target = $is_checkin ? $oldUser : User::find($licenseSeat->assigned_to);
-        }
-
-        if ($licenseSeat->isDirty('asset_id')) {
-            $target = $is_checkin ? $oldAsset : Asset::find($licenseSeat->asset_id);
-        }
-
-        if ($assignmentTouched && is_null($target)) {
-            // if both asset_id and assigned_to are null then we are "checking-in"
-            // a related model that does not exist (possible purged or bad data).
-            if (! is_null($request->input('asset_id')) || ! is_null($request->input('assigned_to'))) {
-                return response()->json(Helper::formatStandardApiResponse('error', null, 'Target not found'));
+                return;
+            }
+
+            $license = $licenseSeat->license;
+            if (! $license || $license->id != intval($licenseId)) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, 'Seat does not belong to the specified license'));
+
+                return;
+            }
+
+            $targetUser = null;
+            if (! is_null($request->input('assigned_to'))) {
+                // Resolve unscoped target so we can return a clean cross-company error instead of a hidden-not-found.
+                $targetUser = User::withoutGlobalScopes()->find($request->input('assigned_to'));
+
+                if (! $targetUser) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, 'Target not found'));
+
+                    return;
+                }
+
+                if ((Setting::getSettings()->full_multiple_companies_support == '1') && (! $targetUser->companies()->where('companies.id', $license->company_id)->exists())) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+
+                    return;
+                }
+            }
+
+            $targetAsset = null;
+            if (! is_null($request->input('asset_id'))) {
+                // Resolve unscoped target so FMCS company mismatch can be enforced explicitly.
+                $targetAsset = Asset::withoutGlobalScopes()->find($request->input('asset_id'));
+
+                if (! $targetAsset) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, 'Target not found'));
+
+                    return;
+                }
+
+                if ((Setting::getSettings()->full_multiple_companies_support == '1') && ($license->company_id !== $targetAsset->company_id)) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+
+                    return;
+                }
+            }
+
+            $oldUser = $licenseSeat->user;
+            $oldAsset = $licenseSeat->asset;
+
+            $licenseSeat->fill($validated);
+
+            $assignmentTouched = $licenseSeat->isDirty('assigned_to') || $licenseSeat->isDirty('asset_id');
+            $anythingTouched = $licenseSeat->isDirty();
+
+            if (! $anythingTouched) {
+                $updatedSeat = $licenseSeat;
+
+                return;
+            }
+
+            if ($assignmentTouched && $licenseSeat->unreassignable_seat) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkout.unavailable')));
+
+                return;
+            }
+
+            // Are the assignment fields cleared? If yes, this is a checkin operation.
+            $is_checkin = ($assignmentTouched && $licenseSeat->assigned_to === null && $licenseSeat->asset_id === null);
+
+            // The logging functions expect only one "target"; assets take precedence over users.
+            $target = null;
+            if ($licenseSeat->isDirty('assigned_to')) {
+                $target = $is_checkin ? $oldUser : $targetUser;
+            }
+            if ($licenseSeat->isDirty('asset_id')) {
+                $target = $is_checkin ? $oldAsset : $targetAsset;
+            }
+
+            if ($assignmentTouched && is_null($target)) {
+                // Both fields are null but one was provided — the related model is purged or bad data.
+                if (! is_null($request->input('asset_id')) || ! is_null($request->input('assigned_to'))) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, 'Target not found'));
+
+                    return;
+                }
+            }
+
+            if (! $licenseSeat->save()) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, $licenseSeat->getErrors()));
+
+                return;
             }
-        }
 
-        if ($licenseSeat->save()) {
             if ($assignmentTouched) {
                 if ($is_checkin) {
                     if (! $licenseSeat->license->reassignable) {
                         $licenseSeat->unreassignable_seat = true;
-                        $licenseSeat->save();
+
+                        if (! $licenseSeat->save()) {
+                            $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, $licenseSeat->getErrors()));
+
+                            return;
+                        }
                     }
-                    // todo: skip if target is null?
+
                     $licenseSeat->logCheckin($target, $licenseSeat->notes);
                 } else {
-                    // in this case, relevant fields are touched but it's not a checkin operation. so it must be a checkout operation.
                     $licenseSeat->logCheckout($request->input('notes'), $target);
                 }
             }
 
-            return response()->json(Helper::formatStandardApiResponse('success', $licenseSeat, trans('admin/licenses/message.update.success')));
+            $updatedSeat = $licenseSeat;
+        });
+
+        if ($errorResponse) {
+            return $errorResponse;
         }
 
-        return Helper::formatStandardApiResponse('error', null, $licenseSeat->getErrors());
+        if ($updatedSeat) {
+            return response()->json(Helper::formatStandardApiResponse('success', $updatedSeat, trans('admin/licenses/message.update.success')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, 'An unexpected error occurred'), 500);
     }
 }

app/Http/Controllers/Api/LicensesController.php

@@ -2,14 +2,21 @@
 
 namespace App\Http\Controllers\Api;
 
+use App\Events\CheckoutableCheckedIn;
+use App\Events\CheckoutableCheckedOut;
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\FilterRequest;
 use App\Http\Transformers\ActionlogsTransformer;
+use App\Http\Transformers\LicenseSeatsTransformer;
 use App\Http\Transformers\LicensesTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\Asset;
+use App\Models\Company;
 use App\Models\License;
+use App\Models\LicenseSeat;
 use App\Models\Setting;
+use App\Models\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
@@ -27,7 +34,7 @@ class LicensesController extends Controller
     {
         $this->authorize('view', License::class);
 
-        $licenses = License::with('company', 'manufacturer', 'supplier', 'category', 'adminuser')->withCount('freeSeats as free_seats_count');
+        $licenses = License::with('company', 'manufacturer', 'supplier', 'category', 'adminuser', 'licenseSeatsRelation', 'assignedCount')->withCount('freeSeats as free_seats_count');
         $settings = Setting::getSettings();
 
         if ($request->input('status') == 'inactive') {
@@ -179,6 +186,7 @@ class LicensesController extends Controller
         $this->authorize('create', License::class);
         $license = new License;
         $license->fill($request->all());
+        $license->company_id = Company::getIdForCurrentUser($request->input('company_id'));
 
         if ($license->save()) {
             return response()->json(Helper::formatStandardApiResponse('success', $license, trans('admin/licenses/message.create.success')));
@@ -219,6 +227,7 @@ class LicensesController extends Controller
 
         $license = License::findOrFail($id);
         $license->fill($request->all());
+        $license->company_id = Company::getIdForCurrentUser($request->input('company_id'));
 
         if ($license->save()) {
             return response()->json(Helper::formatStandardApiResponse('success', $license, trans('admin/licenses/message.update.success')));
@@ -244,7 +253,7 @@ class LicensesController extends Controller
         if ($license->assigned_seats_count == 0) {
             // Delete the license and the associated license seats
             DB::table('license_seats')
-                ->where('id', $license->id)
+                ->where('license_id', $license->id)
                 ->update(['assigned_to' => null, 'asset_id' => null]);
 
             $licenseSeats = $license->licenseseats();
@@ -258,6 +267,167 @@ class LicensesController extends Controller
         return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.assoc_users')));
     }
 
+    /**
+     * Checkout a license seat to a user or asset.
+     *
+     * Accepts an optional `seat_id`; if omitted the next available free seat is used.
+     * `target_type` must be "user" or "asset". Supply `assigned_to` for users or
+     * `asset_id` for assets.
+     *
+     * This will eventually use the same form request the UI uses, but we need to update the field names first.
+     *
+     * @param  int  $licenseId
+     */
+    public function checkout(Request $request, $licenseId): JsonResponse
+    {
+        $license = License::findOrFail($licenseId);
+        $this->authorize('checkout', $license);
+
+        $validated = $this->validate($request, [
+            'seat_id' => 'sometimes|integer|nullable',
+            'target_type' => 'required|in:user,asset',
+            'assigned_to' => 'required_if:target_type,user|integer|nullable',
+            'asset_id' => 'required_if:target_type,asset|integer|nullable',
+            'notes' => 'sometimes|string|nullable',
+        ]);
+
+        if ($license->isInactive()) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkout.license_is_inactive')));
+        }
+
+        $errorResponse = null;
+        $updatedSeat = null;
+        $target = null;
+
+        DB::transaction(function () use ($license, $validated, &$errorResponse, &$updatedSeat, &$target): void {
+            $seatId = $validated['seat_id'] ?? null;
+
+            $licenseSeat = $seatId
+                ? LicenseSeat::where('id', $seatId)->where('license_id', $license->id)->lockForUpdate()->first()
+                : $license->freeSeat(lock: true);
+
+            if (! $licenseSeat) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkout.not_enough_seats')));
+
+                return;
+            }
+
+            if ($licenseSeat->unreassignable_seat) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkout.unavailable')));
+
+                return;
+            }
+
+            if ($validated['target_type'] === 'user') {
+                $target = User::withoutGlobalScopes()->whereNull('deleted_at')->find($validated['assigned_to'] ?? null);
+                if (! $target) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.user_does_not_exist')));
+
+                    return;
+                }
+
+                if (Company::isFullMultipleCompanySupportEnabled() && ! $target->companies()->where('companies.id', $license->company_id)->exists()) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+
+                    return;
+                }
+
+                $licenseSeat->assigned_to = $target->id;
+                $licenseSeat->asset_id = null;
+            } else {
+                $target = Asset::withoutGlobalScopes()->whereNull('deleted_at')->find($validated['asset_id'] ?? null);
+                if (! $target) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.asset_does_not_exist')));
+
+                    return;
+                }
+
+                if (Company::isFullMultipleCompanySupportEnabled() && $license->company_id && $license->company_id !== $target->company_id) {
+                    $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_user_company')));
+
+                    return;
+                }
+
+                $licenseSeat->asset_id = $target->id;
+                $licenseSeat->assigned_to = null;
+
+                if ($target->checkedOutToUser()) {
+                    $licenseSeat->assigned_to = $target->assigned_to;
+                }
+            }
+
+            $licenseSeat->notes = $validated['notes'] ?? null;
+            $licenseSeat->created_by = auth()->id();
+
+            if (! $licenseSeat->save()) {
+                $errorResponse = response()->json(Helper::formatStandardApiResponse('error', null, $licenseSeat->getErrors()));
+
+                return;
+            }
+
+            event(new CheckoutableCheckedOut($licenseSeat, $target, auth()->user(), $validated['notes'] ?? null));
+            $updatedSeat = $licenseSeat->load('license', 'user', 'asset');
+        });
+
+        if ($errorResponse) {
+            return $errorResponse;
+        }
+
+        if ($updatedSeat) {
+            return response()->json(Helper::formatStandardApiResponse('success', (new LicenseSeatsTransformer)->transformLicenseSeat($updatedSeat), trans('admin/licenses/message.checkout.success')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, 'An unexpected error occurred'), 500);
+    }
+
+    /**
+     * Checkin a license seat.
+     *
+     * `seat_id` is required to identify which seat to check back in.
+     *
+     * @param  int  $licenseId
+     */
+    public function checkin(Request $request, $licenseId): JsonResponse
+    {
+        $license = License::findOrFail($licenseId);
+        $this->authorize('checkin', $license);
+
+        $validated = $this->validate($request, [
+            'seat_id' => 'required|integer',
+            'notes' => 'sometimes|string|nullable',
+        ]);
+
+        $licenseSeat = LicenseSeat::where('id', $validated['seat_id'])
+            ->where('license_id', $license->id)
+            ->first();
+
+        if (! $licenseSeat) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.not_found')));
+        }
+
+        if (is_null($licenseSeat->assigned_to) && is_null($licenseSeat->asset_id)) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/licenses/message.checkin.error')));
+        }
+
+        $target = $licenseSeat->user ?? $licenseSeat->asset;
+
+        $licenseSeat->assigned_to = null;
+        $licenseSeat->asset_id = null;
+        $licenseSeat->notes = $validated['notes'] ?? null;
+
+        if (! $license->reassignable) {
+            $licenseSeat->unreassignable_seat = true;
+        }
+
+        if (! $licenseSeat->save()) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, $licenseSeat->getErrors()));
+        }
+
+        event(new CheckoutableCheckedIn($licenseSeat, $target, auth()->user(), $licenseSeat->notes));
+
+        return response()->json(Helper::formatStandardApiResponse('success', (new LicenseSeatsTransformer)->transformLicenseSeat($licenseSeat->load('license', 'user', 'asset')), trans('admin/licenses/message.checkin.success')));
+    }
+
     /**
      * Gets a paginated collection for the select2 menus
      *
@@ -265,6 +435,8 @@ class LicensesController extends Controller
      */
     public function selectlist(Request $request): array
     {
+        $this->authorize('view.selectlists');
+
         $licenses = License::select([
             'licenses.id',
             'licenses.name',

app/Http/Controllers/Api/LocationsController.php

@@ -67,7 +67,18 @@ class LocationsController extends Controller
             'notes',
         ];
 
-        $locations = Location::with('parent', 'manager', 'children')->select([
+        $locations = Location::with([
+            'parent',
+            'children',
+            'manager' => fn ($q) => $q->withCount([
+                'assets as assets_count',
+                'accessories as accessories_count',
+                'licenses as licenses_count',
+                'consumables as consumables_count',
+                'managesUsers as manages_users_count',
+                'managedLocations as manages_locations_count',
+            ]),
+        ])->select([
             'locations.id',
             'locations.name',
             'locations.address',
@@ -103,7 +114,9 @@ class LocationsController extends Controller
             ->withCount('components as components_count')
             ->with('adminuser');
 
-        // Only scope locations if the setting is enabled
+        // scope_locations_fmcs is required for location-level company scoping (locations may not
+        // have company_id assigned unless the compatibility check has been completed in Settings).
+        // Without it, locations are visible to all authenticated users regardless of FMCS state.
         if (Setting::getSettings()->scope_locations_fmcs) {
             $locations = Company::scopeCompanyables($locations);
         }
@@ -157,8 +170,6 @@ class LocationsController extends Controller
             $locations->where('tag_color', '=', $request->input('locations.tag_color'));
         }
 
-        // Make sure the offset and limit are actually integers and do not exceed system limits
-        $offset = ($request->input('offset') > $locations->count()) ? $locations->count() : app('api_offset_value');
         $limit = app('api_limit_value');
 
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
@@ -180,6 +191,7 @@ class LocationsController extends Controller
         }
 
         $total = $locations->count();
+        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
         $locations = $locations->skip($offset)->take($limit)->get();
 
         return (new LocationsTransformer)->transformLocations($locations, $total);
@@ -199,12 +211,19 @@ class LocationsController extends Controller
         $location->fill($request->all());
         $location = $request->handleImages($location);
 
-        // Only scope location if the setting is enabled
         if (Setting::getSettings()->scope_locations_fmcs) {
             $location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
-            // check if parent is set and has a different company
-            if ($location->parent_id && Location::find($location->parent_id)->company_id != $location->company_id) {
-                response()->json(Helper::formatStandardApiResponse('error', null, 'different company than parent'));
+        }
+
+        // Parent company check applies whenever FMCS is on, independent of scope_locations_fmcs.
+        if (Setting::getSettings()->full_multiple_companies_support) {
+            $parent = $location->parent_id ? Location::find($location->parent_id) : null;
+            if ($parent && $parent->company_id != $location->company_id) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_location_parent_company', [
+                    'parent' => $parent->name,
+                    'parent_company' => $parent->company?->name ?? trans('general.unassigned'),
+                    'location_company' => $location->company?->name ?? trans('general.unassigned'),
+                ])));
             }
         }
 
@@ -227,7 +246,19 @@ class LocationsController extends Controller
     public function show($id): JsonResponse|array
     {
         $this->authorize('view', Location::class);
-        $location = Location::with('parent', 'manager', 'children', 'company')
+        $location = Location::with([
+            'parent',
+            'children',
+            'company',
+            'manager' => fn ($q) => $q->withCount([
+                'assets as assets_count',
+                'accessories as accessories_count',
+                'licenses as licenses_count',
+                'consumables as consumables_count',
+                'managesUsers as manages_users_count',
+                'managedLocations as manages_locations_count',
+            ]),
+        ])
             ->select([
                 'locations.id',
                 'locations.name',
@@ -279,18 +310,36 @@ class LocationsController extends Controller
         $location = $request->handleImages($location);
 
         if ($request->filled('company_id')) {
-            // Only scope location if the setting is enabled
             if (Setting::getSettings()->scope_locations_fmcs) {
                 $location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
                 // check if there are related objects with different company
-                if (Helper::test_locations_fmcs(false, $id, $location->company_id)) {
-                    return response()->json(Helper::formatStandardApiResponse('error', null, 'error scoped locations'));
+                if ($mismatched = Helper::test_locations_fmcs(false, $id, $location->company_id)) {
+                    $first = $mismatched[0];
+
+                    return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_location_scoped_items', [
+                        'item_type' => trans('general.'.strtolower($first[0])),
+                        'item_name' => $first[2],
+                        'item_company' => $first[5] ?? trans('general.unassigned'),
+                    ])));
                 }
             } else {
                 $location->company_id = $request->input('company_id');
             }
         }
 
+        // Parent company check applies whenever FMCS is on, independent of scope_locations_fmcs.
+        // Runs outside the company_id gate so a parent_id-only update is also validated.
+        if (Setting::getSettings()->full_multiple_companies_support) {
+            $parent = $location->parent_id ? Location::find($location->parent_id) : null;
+            if ($parent && $parent->company_id != $location->company_id) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.error_location_parent_company', [
+                    'parent' => $parent->name,
+                    'parent_company' => $parent->company?->name ?? trans('general.unassigned'),
+                    'location_company' => $location->company?->name ?? trans('general.unassigned'),
+                ])));
+            }
+        }
+
         if ($location->isValid()) {
 
             $location->save();
@@ -422,11 +471,6 @@ class LocationsController extends Controller
             'locations.tag_color',
         ]);
 
-        // Only scope locations if the setting is enabled
-        if (Setting::getSettings()->scope_locations_fmcs) {
-            $locations = Company::scopeCompanyables($locations);
-        }
-
         $page = 1;
         if ($request->filled('page')) {
             $page = $request->input('page');
@@ -436,6 +480,10 @@ class LocationsController extends Controller
             $locations = $locations->where('locations.name', 'LIKE', '%'.$request->input('search').'%');
         }
 
+        if ($request->filled('excludeId')) {
+            $locations->where('locations.id', '!=', (int) $request->input('excludeId'));
+        }
+
         $locations = $locations->orderBy('name', 'ASC')->get();
 
         $locations_with_children = [];

app/Http/Controllers/Api/MaintenanceTypesController.php

@@ -0,0 +1,87 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Helpers\Helper;
+use App\Http\Controllers\Controller;
+use App\Http\Requests\FilterRequest;
+use App\Http\Transformers\MaintenanceTypesTransformer;
+use App\Models\MaintenanceType;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class MaintenanceTypesController extends Controller
+{
+    public function index(FilterRequest $request): JsonResponse|array
+    {
+        $this->authorize('view', MaintenanceType::class);
+
+        $types = MaintenanceType::select(['id', 'name', 'created_at', 'updated_at', 'deleted_at']);
+
+        if ($request->input('deleted') == 'true') {
+            $types->onlyTrashed();
+        }
+
+        if ($request->filled('search')) {
+            $types->where('name', 'LIKE', '%'.$request->input('search').'%');
+        }
+
+        if ($request->filled('name')) {
+            $types->where('name', '=', $request->input('name'));
+        }
+
+        $offset = ($request->input('offset') > $types->count()) ? $types->count() : app('api_offset_value');
+        $limit = app('api_limit_value');
+        $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
+        $sort = in_array($request->input('sort'), ['id', 'name', 'created_at', 'updated_at']) ? $request->input('sort') : 'name';
+
+        $total = $types->count();
+        $types = $types->orderBy($sort, $order)->skip($offset)->take($limit)->get();
+
+        return (new MaintenanceTypesTransformer)->transformMaintenanceTypes($types, $total);
+    }
+
+    public function show(MaintenanceType $maintenanceType): JsonResponse|array
+    {
+        $this->authorize('view', $maintenanceType);
+
+        return (new MaintenanceTypesTransformer)->transformMaintenanceType($maintenanceType);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $this->authorize('create', MaintenanceType::class);
+
+        $type = new MaintenanceType;
+        $type->name = $request->input('name');
+        $type->created_by = auth()->id();
+
+        if ($type->save()) {
+            return response()->json(Helper::formatStandardApiResponse('success', (new MaintenanceTypesTransformer)->transformMaintenanceType($type), trans('admin/maintenance_types/message.create.success')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, $type->getErrors()));
+    }
+
+    public function update(Request $request, MaintenanceType $maintenanceType): JsonResponse
+    {
+        $this->authorize('update', $maintenanceType);
+
+        $maintenanceType->name = $request->input('name');
+
+        if ($maintenanceType->save()) {
+            return response()->json(Helper::formatStandardApiResponse('success', (new MaintenanceTypesTransformer)->transformMaintenanceType($maintenanceType), trans('admin/maintenance_types/message.update.success')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, $maintenanceType->getErrors()));
+    }
+
+    public function destroy(MaintenanceType $maintenanceType): JsonResponse
+    {
+        $this->authorize('delete', $maintenanceType);
+
+        $maintenanceType->delete();
+
+        return response()->json(Helper::formatStandardApiResponse('success', null, trans('admin/maintenance_types/message.delete.success')));
+    }
+}

app/Http/Controllers/Api/MaintenancesController.php

@@ -2,15 +2,19 @@
 
 namespace App\Http\Controllers\Api;
 
+use App\Enums\ActionType;
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\FilterRequest;
 use App\Http\Requests\ImageUploadRequest;
 use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\MaintenancesTransformer;
+use App\Models\Actionlog;
 use App\Models\Asset;
 use App\Models\Company;
 use App\Models\Maintenance;
+use App\Models\Setting;
+use Illuminate\Database\Eloquent\Collection as EloquentCollection;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 
@@ -38,7 +42,8 @@ class MaintenancesController extends Controller
         $this->authorize('view', Asset::class);
 
         $maintenances = Maintenance::select('maintenances.*')
-            ->with('asset', 'asset.model', 'asset.location', 'asset.defaultLoc', 'supplier', 'asset.company', 'asset.status', 'adminuser', 'asset.assignedTo');
+            ->whereHas('asset')
+            ->with('asset', 'asset.model', 'asset.location', 'asset.defaultLoc', 'supplier', 'asset.company', 'asset.status', 'adminuser', 'asset.assignedTo', 'maintenanceType', 'responsibleParty', 'completedByUser');
 
         // This invokes the Searchable model trait scopeTextSearch and will handle input by search or by advanced search filter
         if ($request->filled('filter') || $request->filled('search')) {
@@ -61,22 +66,53 @@ class MaintenancesController extends Controller
             $maintenances->where('maintenances.url', '=', $request->input('url'));
         }
 
-        if ($request->filled('asset_maintenance_type')) {
-            $maintenances->where('asset_maintenance_type', '=', $request->input('asset_maintenance_type'));
+        if ($request->filled('maintenance_type')) {
+            $maintenances->where('maintenance_type', '=', $request->input('maintenance_type'));
+        }
+
+        if ($request->filled('maintenance_type_id')) {
+            $maintenances->where('maintenance_type_id', '=', $request->input('maintenance_type_id'));
+        }
+
+        if ($request->filled('responsible_party_id')) {
+            $maintenances->where('responsible_party_id', '=', $request->input('responsible_party_id'));
+        }
+
+        if ($request->filled('completed')) {
+            if ($request->input('completed') === 'true') {
+                $maintenances->completed();
+            } else {
+                $maintenances->active();
+            }
+        }
+
+        if ($request->filled('upcoming_status')) {
+            $settings = Setting::getSettings();
+            switch ($request->input('upcoming_status')) {
+                case 'due':
+                    $maintenances->dueForCompletion($settings);
+                    break;
+                case 'overdue':
+                    $maintenances->overdueForCompletion();
+                    break;
+                case 'due-or-overdue':
+                    $maintenances->dueOrOverdueForCompletion($settings);
+                    break;
+            }
         }
 
         // Make sure the offset and limit are actually integers and do not exceed system limits
-        $offset = ($request->input('offset') > $maintenances->count()) ? $maintenances->count() : abs($request->input('offset'));
+        $offset = ($request->input('offset') > $maintenances->count()) ? $maintenances->count() : app('api_offset_value');
         $limit = app('api_limit_value');
 
         $allowed_columns = [
             'id',
             'name',
             'asset_maintenance_time',
-            'asset_maintenance_type',
             'cost',
             'start_date',
             'completion_date',
+            'completed_at',
             'notes',
             'asset_tag',
             'asset_name',
@@ -88,6 +124,7 @@ class MaintenancesController extends Controller
             'status_label',
             'model',
             'model_number',
+            'maintenance_type',
         ];
 
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
@@ -95,31 +132,37 @@ class MaintenancesController extends Controller
 
         switch ($sort) {
             case 'created_by':
-                $maintenances = $maintenances->OrderByCreatedBy($order);
+                $maintenances = $maintenances->orderByCreatedBy($order);
                 break;
             case 'supplier':
-                $maintenances = $maintenances->OrderBySupplier($order);
+                $maintenances = $maintenances->orderBySupplier($order);
                 break;
             case 'asset_tag':
-                $maintenances = $maintenances->OrderByTag($order);
+                $maintenances = $maintenances->orderByTag($order);
                 break;
             case 'asset_name':
-                $maintenances = $maintenances->OrderByAssetName($order);
+                $maintenances = $maintenances->orderByAssetName($order);
                 break;
             case 'model':
-                $maintenances = $maintenances->OrderByAssetModelName($order);
+                $maintenances = $maintenances->orderByAssetModelName($order);
                 break;
             case 'model_number':
-                $maintenances = $maintenances->OrderByAssetModelNumber($order);
+                $maintenances = $maintenances->orderByAssetModelNumber($order);
                 break;
             case 'serial':
-                $maintenances = $maintenances->OrderByAssetSerial($order);
+                $maintenances = $maintenances->orderByAssetSerial($order);
                 break;
             case 'location':
-                $maintenances = $maintenances->OrderLocationName($order);
+                $maintenances = $maintenances->orderLocationName($order);
                 break;
             case 'status_label':
-                $maintenances = $maintenances->OrderStatusName($order);
+                $maintenances = $maintenances->orderStatusName($order);
+                break;
+            case 'maintenance_type':
+                $maintenances = $maintenances->orderByMaintenanceType($order);
+                break;
+            case 'completed_at':
+                $maintenances = $maintenances->orderByCompletedAt($order);
                 break;
             default:
                 $maintenances = $maintenances->orderBy($sort, $order);
@@ -152,19 +195,60 @@ class MaintenancesController extends Controller
     {
         $this->authorize('update', Asset::class);
 
-        // create a new model instance
-        $maintenance = new Maintenance;
-        $maintenance->fill($request->all());
-        $maintenance->created_by = auth()->id();
-        $maintenance = $request->handleImages($maintenance);
-        // Was the asset maintenance created?
-        if ($maintenance->save()) {
-            return response()->json(Helper::formatStandardApiResponse('success', $maintenance, trans('admin/maintenances/message.create.success')));
+        $isBulk = $request->has('asset_ids');
+        $assetIds = $isBulk
+            ? array_values(array_filter((array) $request->input('asset_ids')))
+            : [$request->input('asset_id')];
 
+        $created = new EloquentCollection;
+        $errors = [];
+
+        foreach ($assetIds as $assetId) {
+            $asset = Asset::find($assetId);
+
+            if (! $asset) {
+                $errors[] = trans('general.item_not_found', ['item_type' => trans('general.asset'), 'id' => $assetId]);
+
+                continue;
+            }
+
+            if (! Company::isCurrentUserHasAccess($asset)) {
+                $errors[] = trans('general.action_permission_denied', ['item_type' => trans('general.asset'), 'id' => $assetId, 'action' => trans('general.create')]);
+
+                continue;
+            }
+
+            $maintenance = new Maintenance;
+            $maintenance->fill($request->except(['asset_id', 'asset_ids']));
+            $maintenance->asset_id = $assetId;
+            $maintenance->created_by = auth()->id();
+            $request->handleImages($maintenance);
+
+            if ($maintenance->save()) {
+                $created->push($maintenance->fresh());
+            } else {
+                $errors[] = $maintenance->getErrors();
+            }
         }
 
-        return response()->json(Helper::formatStandardApiResponse('error', null, $maintenance->getErrors()));
+        if ($isBulk) {
+            if ($created->isEmpty()) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, count($errors) === 1 ? $errors[0] : $errors));
+            }
 
+            return response()->json(Helper::formatStandardApiResponse(
+                'success',
+                (new MaintenancesTransformer)->transformMaintenances($created, $created->count()),
+                trans('admin/maintenances/message.create.success')
+            ));
+        }
+
+        // Single asset_id path — backward compatible response shape
+        if ($created->isNotEmpty()) {
+            return response()->json(Helper::formatStandardApiResponse('success', $created->first(), trans('admin/maintenances/message.create.success')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, ! empty($errors) ? $errors[0] : null));
     }
 
     /**
@@ -185,17 +269,33 @@ class MaintenancesController extends Controller
 
         if ($maintenance = Maintenance::with('asset')->find($id)) {
 
-            // Can this user manage this asset?
-            if (! Company::isCurrentUserHasAccess($maintenance->asset)) {
-                return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.action_permission_denied', ['item_type' => trans('admin/maintenances/general.maintenance'), 'id' => $id, 'action' => trans('general.edit')])));
-            }
-
-            // The asset this miantenance is attached to is not valid or has been deleted
+            // The asset this maintenance is attached to is not valid or has been deleted
             if (! $maintenance->asset) {
                 return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.item_not_found', ['item_type' => trans('general.asset'), 'id' => $id])));
             }
 
-            $maintenance->fill($request->all());
+            // Can this user manage the existing asset?
+            if (! Company::isCurrentUserHasAccess($maintenance->asset)) {
+                return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.action_permission_denied', ['item_type' => trans('admin/maintenances/general.maintenance'), 'id' => $id, 'action' => trans('general.edit')])));
+            }
+
+            // If the request changes asset_id, verify the new asset is accessible
+            if ($request->filled('asset_id') && (int) $request->input('asset_id') !== $maintenance->asset_id) {
+                $newAsset = Asset::find($request->input('asset_id'));
+
+                if (! $newAsset) {
+                    return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.item_not_found', ['item_type' => trans('general.asset'), 'id' => $request->input('asset_id')])));
+                }
+
+                if (! Company::isCurrentUserHasAccess($newAsset)) {
+                    return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.action_permission_denied', ['item_type' => trans('general.asset'), 'id' => $request->input('asset_id'), 'action' => trans('general.edit')])), 403);
+                }
+
+                $maintenance->fill($request->except('asset_id'));
+                $maintenance->asset_id = $newAsset->id;
+            } else {
+                $maintenance->fill($request->except('asset_id'));
+            }
 
             if ($maintenance->save()) {
                 return response()->json(Helper::formatStandardApiResponse('success', $maintenance, trans('admin/maintenances/message.edit.success')));
@@ -255,11 +355,38 @@ class MaintenancesController extends Controller
 
     }
 
+    public function complete(Request $request, Maintenance $maintenance): JsonResponse
+    {
+        $this->authorize('update', Asset::class);
+
+        if (! Company::isCurrentUserHasAccess($maintenance->asset)) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.action_permission_denied', ['item_type' => trans('admin/maintenances/general.maintenance'), 'id' => $maintenance->id, 'action' => trans('admin/maintenances/form.mark_complete')])));
+        }
+
+        if ($maintenance->completed_at) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/maintenances/form.already_complete')));
+        }
+
+        $maintenance->completed_at = now();
+        $maintenance->completed_by = auth()->id();
+        $maintenance->asset_maintenance_time = (int) $maintenance->created_at->diffInDays(now(), true);
+        $maintenance->saveQuietly();
+
+        $logAction = new Actionlog;
+        $logAction->item_type = Maintenance::class;
+        $logAction->item_id = $maintenance->id;
+        $logAction->target_type = Asset::class;
+        $logAction->target_id = $maintenance->asset_id;
+        $logAction->created_by = auth()->id();
+        $logAction->note = $request->input('note');
+        $logAction->logaction(ActionType::MaintenanceComplete);
+
+        return response()->json(Helper::formatStandardApiResponse('success', (new MaintenancesTransformer)->transformMaintenance($maintenance->fresh()), trans('admin/maintenances/message.complete.success')));
+    }
+
     public function history(Request $request, Maintenance $maintenance): JsonResponse|array
     {
-        $this->authorize('view', Asset::class);
-        $asset = $maintenance->asset;
-        $this->authorize('history', $asset);
+        $this->authorize('history', $maintenance);
         $historyQuery = $maintenance->getHistory($request);
         $total = (clone $historyQuery)->count();
         $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
@@ -268,4 +395,50 @@ class MaintenancesController extends Controller
 
         return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
     }
+
+    public function notesIndex(Maintenance $maintenance): JsonResponse
+    {
+        $this->authorize('journal', $maintenance);
+
+        $notes = Actionlog::with('user:id,username')
+            ->where('item_type', Maintenance::class)
+            ->where('item_id', $maintenance->id)
+            ->where('action_type', 'note added')
+            ->orderBy('created_at', 'desc')
+            ->get(['id', 'created_at', 'note', 'created_by', 'item_id', 'item_type', 'action_type']);
+
+        $notesArray = $notes->map(fn ($note) => [
+            'id' => $note->id,
+            'created_at' => $note->created_at,
+            'note' => $note->note,
+            'created_by' => $note->created_by,
+            'username' => $note->user?->username,
+            'item_id' => $note->item_id,
+            'item_type' => $note->item_type,
+            'action_type' => $note->action_type,
+        ]);
+
+        return response()->json(Helper::formatStandardApiResponse('success', ['notes' => $notesArray, 'maintenance_id' => $maintenance->id]));
+    }
+
+    public function notesStore(Request $request, Maintenance $maintenance): JsonResponse
+    {
+        $this->authorize('update', $maintenance);
+
+        if (! $request->filled('note')) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('validation.required', ['attribute' => 'note'])), 422);
+        }
+
+        $logaction = new Actionlog;
+        $logaction->item_type = Maintenance::class;
+        $logaction->created_by = auth()->id();
+        $logaction->item_id = $maintenance->id;
+        $logaction->note = $request->input('note');
+
+        if ($logaction->logaction('note added')) {
+            return response()->json(Helper::formatStandardApiResponse('success', ['note' => $logaction->note, 'item_id' => $maintenance->id], trans('general.note_added')));
+        }
+
+        return response()->json(Helper::formatStandardApiResponse('error', null, 'Something went wrong'), 500);
+    }
 }

app/Http/Controllers/Api/PredefinedKitsController.php

@@ -6,6 +6,9 @@ use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Transformers\PredefinedKitsTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\Accessory;
+use App\Models\Consumable;
+use App\Models\License;
 use App\Models\PredefinedKit;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -183,6 +186,9 @@ class PredefinedKitsController extends Controller
         }
 
         $license_id = $request->input('license');
+        $license = License::findOrFail($license_id);
+        $this->authorize('view', $license);
+
         $relation = $kit->licenses();
         if ($relation->find($license_id)) {
             return response()->json(Helper::formatStandardApiResponse('error', null, ['license' => trans('admin/kits/general.license_error')]));
@@ -329,6 +335,9 @@ class PredefinedKitsController extends Controller
         }
 
         $consumable_id = $request->input('consumable');
+        $consumable = Consumable::findOrFail($consumable_id);
+        $this->authorize('view', $consumable);
+
         $relation = $kit->consumables();
         if ($relation->find($consumable_id)) {
             return response()->json(Helper::formatStandardApiResponse('error', null, ['consumable' => trans('admin/kits/general.consumable_error')]));
@@ -402,6 +411,9 @@ class PredefinedKitsController extends Controller
         }
 
         $accessory_id = $request->input('accessory');
+        $accessory = Accessory::findOrFail($accessory_id);
+        $this->authorize('view', $accessory);
+
         $relation = $kit->accessories();
         if ($relation->find($accessory_id)) {
             return response()->json(Helper::formatStandardApiResponse('error', null, ['accessory' => trans('admin/kits/general.accessory_error')]));

app/Http/Controllers/Api/ReportsController.php

@@ -6,8 +6,18 @@ use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\FilterRequest;
 use App\Http\Transformers\ActionlogsTransformer;
+use App\Models\Accessory;
 use App\Models\Actionlog;
+use App\Models\Asset;
+use App\Models\Component;
+use App\Models\Consumable;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\Maintenance;
+use App\Models\User;
+use Carbon\Carbon;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Gate;
 
 class ReportsController extends Controller
@@ -26,18 +36,18 @@ class ReportsController extends Controller
         // then they shouldn't be able to see the activity log for that item or target,
         // but if they have the general activity view permission,
         // then they can see all activity logs regardless of the item or target.
-        if ((! Gate::allows('activity.view')) && (($request->filled('target_type')) && ($request->filled('target_id'))) || (($request->filled('item_type')) && ($request->filled('item_id')))) {
+        if ((! Gate::allows('activity.view')) && (($request->filled('target_type') && $request->filled('target_id')) || ($request->filled('item_type') && $request->filled('item_id')))) {
 
             if (($request->filled('target_type')) && ($request->filled('target_id'))) {
-                $target = Helper::normalizeFullModelName(request()->input('target_type'));
-                $target::find(request()->input('target_id'))?->withTrashed();
-                $this->authorize('view', $target);
+                $targetClass = Helper::normalizeFullModelName(request()->input('target_type'));
+                $target = $targetClass::withTrashed()->find(request()->input('target_id'));
+                $this->authorize('view', $target ?? $targetClass);
             }
 
             if (($request->filled('item_type')) && ($request->filled('item_id'))) {
-                $item = Helper::normalizeFullModelName(request()->input('item_type'));
-                $item::find(request()->input('item_id'))?->withTrashed();
-                $this->authorize('view', $item);
+                $itemClass = Helper::normalizeFullModelName(request()->input('item_type'));
+                $item = $itemClass::withTrashed()->find(request()->input('item_id'));
+                $this->authorize('view', $item ?? $itemClass);
             }
 
         } else {
@@ -125,4 +135,141 @@ class ReportsController extends Controller
         return response()->json((new ActionlogsTransformer)->transformActionlogs($actionlogs, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
 
     }
+
+    /**
+     * Returns time-series data for the reports overview charts.
+     *
+     * Accepts ?days=N (preset, default 30) OR ?start_date=YYYY-MM-DD&end_date=YYYY-MM-DD.
+     * Also returns the immediately preceding period of equal length for comparison lines.
+     */
+    public function activityChart(Request $request): JsonResponse
+    {
+        $this->authorize('reports.view');
+
+        $allowedDays = [7, 14, 30, 60, 90, 180, 365];
+
+        if ($request->filled('start_date') && $request->filled('end_date')) {
+            $curStart = Carbon::parse($request->input('start_date'))->startOfDay();
+            $curEnd = Carbon::parse($request->input('end_date'))->endOfDay();
+            if ($curEnd->lt($curStart)) {
+                [$curStart, $curEnd] = [$curEnd, $curStart];
+            }
+            $days = max(1, (int) $curStart->diffInDays($curEnd) + 1);
+        } else {
+            $days = in_array((int) $request->input('days'), $allowedDays) ? (int) $request->input('days') : 30;
+            $curEnd = Carbon::today()->endOfDay();
+            $curStart = Carbon::today()->subDays($days - 1)->startOfDay();
+        }
+
+        $prevEnd = $curStart->copy()->subSecond()->endOfDay();
+        $prevStart = $prevEnd->copy()->subDays($days - 1)->startOfDay();
+
+        $buildDates = function (Carbon $start, Carbon $end): array {
+            $dates = [];
+            for ($d = $start->copy(); $d->lte($end); $d->addDay()) {
+                $dates[] = $d->toDateString();
+            }
+
+            return $dates;
+        };
+
+        $curDates = $buildDates($curStart, $curEnd);
+        $prevDates = $buildDates($prevStart, $prevEnd);
+
+        $pluckAction = function (string $actionType, Carbon $start, Carbon $end): array {
+            return Actionlog::where('action_type', $actionType)
+                ->whereBetween('created_at', [$start, $end])
+                ->selectRaw('DATE(created_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        // withTrashed() ensures records deleted after creation still appear in their creation-period counts.
+        $pluckCreated = function (string $modelClass, Carbon $start, Carbon $end): array {
+            return $modelClass::withTrashed()
+                ->whereBetween('created_at', [$start, $end])
+                ->selectRaw('DATE(created_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        // Maintenance has no company_id column and no CompanyableTrait, so scope through
+        // its asset relationship — whereHas('asset') applies Asset's FMCS global scope.
+        $pluckMaintenances = function (Carbon $start, Carbon $end): array {
+            return Maintenance::withTrashed()
+                ->whereHas('asset')
+                ->whereBetween('maintenances.created_at', [$start, $end])
+                ->selectRaw('DATE(maintenances.created_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        // Filters by both action_type and item_type for per-category checkout/checkin counts.
+        $pluckActionByType = function (string $actionType, string $modelClass, Carbon $start, Carbon $end): array {
+            return Actionlog::where('action_type', $actionType)
+                ->where('item_type', $modelClass)
+                ->whereBetween('created_at', [$start, $end])
+                ->selectRaw('DATE(created_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        $pluckDeletedUsers = function (Carbon $start, Carbon $end): array {
+            return User::withTrashed()
+                ->whereNotNull('deleted_at')
+                ->whereBetween('deleted_at', [$start, $end])
+                ->selectRaw('DATE(deleted_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        // Catches both 'checkin' and 'checkin from' action types used across different item types.
+        $pluckCheckinsByType = function (string $modelClass, Carbon $start, Carbon $end): array {
+            return Actionlog::whereIn('action_type', ['checkin', 'checkin from'])
+                ->where('item_type', $modelClass)
+                ->whereBetween('created_at', [$start, $end])
+                ->selectRaw('DATE(created_at) as date, COUNT(*) as count')
+                ->groupBy('date')
+                ->pluck('count', 'date')
+                ->toArray();
+        };
+
+        $fill = fn (array $raw, array $dates) => array_map(fn ($d) => (int) ($raw[$d] ?? 0), $dates);
+
+        $datasets = [];
+        foreach ([
+            'new_users' => fn ($s, $e) => $pluckCreated(User::class, $s, $e),
+            'deleted_users' => fn ($s, $e) => $pluckDeletedUsers($s, $e),
+            'asset_checkouts' => fn ($s, $e) => $pluckActionByType('checkout', Asset::class, $s, $e),
+            'asset_checkins' => fn ($s, $e) => $pluckCheckinsByType(Asset::class, $s, $e),
+            'new_assets' => fn ($s, $e) => $pluckCreated(Asset::class, $s, $e),
+            'new_maintenances' => fn ($s, $e) => $pluckMaintenances($s, $e),
+            'new_audits' => fn ($s, $e) => $pluckAction('audit', $s, $e),
+            'component_checkouts' => fn ($s, $e) => $pluckActionByType('checkout', Component::class, $s, $e),
+            'component_checkins' => fn ($s, $e) => $pluckCheckinsByType(Component::class, $s, $e),
+            'new_components' => fn ($s, $e) => $pluckCreated(Component::class, $s, $e),
+            'consumable_checkouts' => fn ($s, $e) => $pluckActionByType('checkout', Consumable::class, $s, $e),
+            'consumable_checkins' => fn ($s, $e) => $pluckCheckinsByType(Consumable::class, $s, $e),
+            'new_consumables' => fn ($s, $e) => $pluckCreated(Consumable::class, $s, $e),
+            'license_checkouts' => fn ($s, $e) => $pluckActionByType('checkout', LicenseSeat::class, $s, $e),
+            'license_checkins' => fn ($s, $e) => $pluckCheckinsByType(LicenseSeat::class, $s, $e),
+            'new_licenses' => fn ($s, $e) => $pluckCreated(License::class, $s, $e),
+            'accessory_checkouts' => fn ($s, $e) => $pluckActionByType('checkout', Accessory::class, $s, $e),
+            'accessory_checkins' => fn ($s, $e) => $pluckCheckinsByType(Accessory::class, $s, $e),
+            'new_accessories' => fn ($s, $e) => $pluckCreated(Accessory::class, $s, $e),
+        ] as $key => $query) {
+            $datasets[$key] = $fill($query($curStart, $curEnd), $curDates);
+            $datasets['prev_'.$key] = $fill($query($prevStart, $prevEnd), $prevDates);
+        }
+
+        return response()->json(array_merge([
+            'labels' => array_map(fn ($d) => Carbon::parse($d)->format('M j'), $curDates),
+            'prev_label' => $prevStart->format('M j').' – '.$prevEnd->format('M j'),
+        ], $datasets));
+    }
 }

app/Http/Controllers/Api/UploadedFilesController.php

@@ -52,7 +52,7 @@ class UploadedFilesController extends Controller
         $uploads = self::$map_object_type[$object_type]::withTrashed()->find($id)->uploads()
             ->with('adminuser');
 
-        $offset = ($request->input('offset') > $uploads->count()) ? $uploads->count() : abs($request->input('offset'));
+        $offset = ($request->input('offset') > $uploads->count()) ? $uploads->count() : app('api_offset_value');
         $limit = app('api_limit_value');
         $order = $request->input('order') === 'asc' ? 'asc' : 'desc';
         $sort = in_array($request->input('sort'), $allowed_columns) ? $request->input('sort') : 'created_at';

app/Http/Controllers/Api/UsersController.php

@@ -22,6 +22,7 @@ use App\Models\Asset;
 use App\Models\Company;
 use App\Models\Consumable;
 use App\Models\License;
+use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\CurrentInventory;
 use App\Notifications\WelcomeNotification;
@@ -51,7 +52,6 @@ class UsersController extends Controller
             'users.address',
             'users.avatar',
             'users.city',
-            'users.company_id',
             'users.country',
             'users.created_by',
             'users.created_at',
@@ -89,7 +89,7 @@ class UsersController extends Controller
         ])->with('manager')
             ->with('groups')
             ->with('userloc')
-            ->with('company')
+            ->with('companies')
             ->with('department')
             ->with('createdBy')
             ->withCount([
@@ -191,7 +191,7 @@ class UsersController extends Controller
         }
 
         if ($request->filled('company_id')) {
-            $users = $users->where('users.company_id', '=', $request->input('company_id'));
+            $users = $users->whereHas('companies', fn ($q) => $q->where('companies.id', $request->input('company_id')));
         }
 
         if ($request->filled('phone')) {
@@ -380,6 +380,8 @@ class UsersController extends Controller
      */
     public function selectlist(Request $request): array
     {
+        $this->authorize('view.selectlists');
+
         $users = User::select(
             [
                 'users.id',
@@ -394,6 +396,22 @@ class UsersController extends Controller
             ]
         )->where('show_in_list', '=', '1');
 
+        // When FMCS is enabled, automatically scope to companies the acting user belongs to.
+        // scopeCompanyables is a no-op for superusers and when FMCS is disabled.
+        $users = Company::scopeCompanyables($users, 'company_id', 'users');
+
+        // Allow further narrowing to a specific company passed via data-company-ids on the select.
+        if ((Setting::getSettings()->full_multiple_companies_support == '1') && $request->filled('companyId')) {
+            $companyIds = array_values(array_filter(array_map('intval', explode(',', $request->input('companyId')))));
+            if (! empty($companyIds)) {
+                $users = Company::scopeUsersByCompanyIds($users, $companyIds);
+            }
+        }
+
+        if ($request->filled('excludeId')) {
+            $users->where('users.id', '!=', (int) $request->input('excludeId'));
+        }
+
         if ($request->filled('search')) {
             $users = $users->where(function ($query) use ($request) {
                 $query->SimpleNameSearch($request->input('search'))
@@ -441,7 +459,6 @@ class UsersController extends Controller
         $authenticatedUser = auth()->user();
         $user = new User;
         $user->fill($request->all());
-        $user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $user->created_by = auth()->id();
 
         if ($request->has('permissions')) {
@@ -486,6 +503,12 @@ class UsersController extends Controller
                 $user->groups()->sync($request->input('groups'));
             }
 
+            // Sync company memberships from company_ids[] or fall back to scalar company_id
+            $companyIds = array_filter(
+                (array) ($request->input('company_ids') ?? ($request->filled('company_id') ? [$request->input('company_id')] : []))
+            );
+            $user->syncCompaniesWithLogging(Company::getIdsForCurrentUser(array_map('intval', $companyIds)));
+
             return response()->json(Helper::formatStandardApiResponse('success', (new UsersTransformer)->transformUser($user), trans('admin/users/message.success.create')));
         }
 
@@ -569,15 +592,12 @@ class UsersController extends Controller
                     requestedPermissions: NormalizePermissionsPayloadAction::run($request->input('permissions')),
                     authenticatedUser: $authenticatedUser,
                     originalPermissions: NormalizePermissionsPayloadAction::run($user->decodePermissions()),
+                    targetUser: $user,
                 ));
             }
 
         }
 
-        if ($request->filled('company_id')) {
-            $user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
-        }
-
         if ($user->id == $request->input('manager_id')) {
             return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
         }
@@ -606,6 +626,18 @@ class UsersController extends Controller
                 $user->groups()->sync($request->input('groups'));
             }
 
+            // company_ids (new format) = full replacement sync.
+            // Legacy company_id = add without removing other associations.
+            if ($request->has('company_ids')) {
+                $companyIds = array_filter(array_map('intval', (array) $request->input('company_ids')));
+                $user->syncCompaniesWithLogging(Company::getIdsForCurrentUser($companyIds));
+            } elseif ($request->filled('company_id')) {
+                $filtered = Company::getIdsForCurrentUser([(int) $request->input('company_id')]);
+                if (! empty($filtered)) {
+                    $user->companies()->syncWithoutDetaching($filtered);
+                }
+            }
+
             return response()->json(Helper::formatStandardApiResponse('success', (new UsersTransformer)->transformUser($user), trans('admin/users/message.success.update')));
         }
 

app/Http/Controllers/Assets/AssetCheckinController.php

@@ -84,7 +84,7 @@ class AssetCheckinController extends Controller
     public function store(AssetCheckinRequest $request, $assetId = null, $backto = null): RedirectResponse
     {
         // Check if the asset exists
-        if (is_null($asset = Asset::find($assetId))) {
+        if (is_null($asset = Asset::withTrashed()->find($assetId))) {
             // Redirect to the asset management page with error
             return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.does_not_exist'));
         }
@@ -135,12 +135,16 @@ class AssetCheckinController extends Controller
 
         $asset->location_id = $asset->rtd_location_id;
 
-        if ($request->filled('location_id')) {
-            Log::debug('NEW Location ID: '.$request->input('location_id'));
-            $asset->location_id = $request->input('location_id');
-
-            if ($request->input('update_default_location') == 0) {
-                $asset->rtd_location_id = $request->input('location_id');
+        if ($request->has('location_id')) {
+            if ($request->filled('location_id')) {
+                Log::debug('NEW Location ID: '.$request->input('location_id'));
+                $asset->location_id = $request->input('location_id');
+                if ($request->input('update_default_location') == 0) {
+                    $asset->rtd_location_id = $request->input('location_id');
+                }
+            } else {
+                // Explicitly submitted as empty — clear the location
+                $asset->location_id = null;
             }
         }
 
@@ -175,6 +179,10 @@ class AssetCheckinController extends Controller
         $asset->customFieldsForCheckinCheckout('display_checkin');
 
         if ($asset->save()) {
+            // Update the location of any child assets
+            Asset::where('assigned_type', Asset::class)
+                ->where('assigned_to', $asset->id)
+                ->update(['location_id' => $asset->location_id]);
 
             event(new CheckoutableCheckedIn($asset, $target, auth()->user(), $request->input('note'), $checkin_at, $originalValues));
 

app/Http/Controllers/Assets/AssetCheckoutController.php

@@ -4,12 +4,11 @@ namespace App\Http\Controllers\Assets;
 
 use App\Exceptions\CheckoutNotAllowed;
 use App\Helpers\Helper;
-use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AssetCheckoutRequest;
+use App\Http\Traits\CheckInOutTrait;
 use App\Models\Asset;
 use App\Models\CheckoutAcceptance;
-use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
@@ -17,7 +16,7 @@ use Illuminate\Http\RedirectResponse;
 
 class AssetCheckoutController extends Controller
 {
-    use CheckInOutRequest;
+    use CheckInOutTrait;
 
     /**
      * Returns a view that presents a form to check an asset out to a
@@ -119,13 +118,18 @@ class AssetCheckoutController extends Controller
             // Add any custom fields that should be included in the checkout
             $asset->customFieldsForCheckinCheckout('display_checkout');
 
-            $settings = Setting::getSettings();
+            if (! $asset->canCheckoutTo($target)) {
+                $targetType = match (class_basename($target)) {
+                    'User' => trans('general.user'),
+                    'Location' => trans('general.location'),
+                    default => trans('general.asset'),
+                };
 
-            // We have to check whether $target->company_id is null here since locations don't have a company yet
-            if (($settings->full_multiple_companies_support) && ((! is_null($target->company_id)) && (! is_null($asset->company_id)))) {
-                if ($target->company_id != $asset->company_id) {
-                    return redirect()->route('hardware.checkout.create', $asset)->with('error', trans('general.error_user_company'));
-                }
+                return redirect()->route('hardware.checkout.create', $asset)->with('error', trans('general.error_checkout_company_mismatch', [
+                    'item' => trans('general.asset').' "'.$asset->display_name.'"',
+                    'item_company' => $asset->company?->name ?? trans('general.unassigned'),
+                    'target' => $targetType.' "'.($target->name ?? $target->username ?? $target->id).'"',
+                ]));
             }
 
             session()->put([

app/Http/Controllers/Assets/AssetsController.php

@@ -66,7 +66,8 @@ class AssetsController extends Controller
     public function index(Request $request): View
     {
         $this->authorize('index', Asset::class);
-        $company = Company::find($request->input('company_id'));
+        $companyId = $request->input('company_id');
+        $company = is_scalar($companyId) ? Company::find($companyId) : null;
 
         return view('hardware/index')->with('company', $company);
     }
@@ -357,7 +358,7 @@ class AssetsController extends Controller
 
             $qr_code = (object) [
                 'display' => $settings->qr_code == '1',
-                'url' => route('qr_code/hardware', $asset),
+                'url' => route('qr_code/common', ['object_type' => 'hardware', 'id' => $asset->id]),
             ];
 
             $total_maintenance_cost = $asset->maintenances?->sum('cost');
@@ -442,7 +443,7 @@ class AssetsController extends Controller
 
         if ($request->filled('image_delete')) {
             try {
-                unlink(public_path().'/uploads/assets/'.$asset->image);
+                unlink(public_path().'/uploads/assets/'.basename($asset->image));
                 $asset->image = '';
             } catch (\Exception $e) {
                 Log::info($e);
@@ -510,7 +511,7 @@ class AssetsController extends Controller
 
         // Validate required serial based on model setting
         if ($model && $model->require_serial === 1 && empty($serial[1])) {
-            return redirect()->to(Helper::getRedirectOption($request, $asset->id, 'Assets'))
+            return Helper::getRedirectOption($request, $asset->id, 'Assets')
                 ->with('warning', trans('admin/hardware/form.serial_required_post_model_update', [
                     'asset_model' => $model->name,
                 ]));
@@ -548,7 +549,7 @@ class AssetsController extends Controller
 
         if ($asset->image) {
             try {
-                Storage::disk('public')->delete('assets'.'/'.$asset->image);
+                Storage::disk('public')->delete('assets/'.basename($asset->image));
             } catch (\Exception $e) {
                 Log::debug($e);
             }
@@ -566,11 +567,12 @@ class AssetsController extends Controller
      *
      * @since [v3.0]
      */
-    public function getAssetBySerial(Request $request): RedirectResponse
+    public function getAssetBySerial(Request $request, $serial = null): RedirectResponse
     {
+        $serial = $serial ?: $request->input('serial');
         $topsearch = ($request->input('topsearch') == 'true');
 
-        if (! $asset = Asset::where('serial', '=', $request->input('serial'))->first()) {
+        if (! $asset = Asset::where('serial', '=', $serial)->first()) {
             return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.does_not_exist'));
         }
         $this->authorize('view', $asset);

app/Http/Controllers/Assets/BulkAssetsController.php

@@ -2,20 +2,25 @@
 
 namespace App\Http\Controllers\Assets;
 
+use App\Events\CheckoutableCheckedIn;
 use App\Events\CheckoutablesCheckedOutInBulk;
 use App\Helpers\Helper;
-use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AssetCheckoutRequest;
+use App\Http\Traits\CheckInOutTrait;
 use App\Models\Asset;
 use App\Models\AssetModel;
+use App\Models\CheckoutAcceptance;
 use App\Models\Company;
 use App\Models\CustomField;
+use App\Models\LicenseSeat;
 use App\Models\Setting;
 use App\Models\Statuslabel;
+use App\Models\User;
 use App\View\Label;
 use Carbon\Carbon;
 use Illuminate\Contracts\View\View;
+use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
@@ -27,7 +32,7 @@ use Illuminate\Support\Facades\Log;
 
 class BulkAssetsController extends Controller
 {
-    use CheckInOutRequest;
+    use CheckInOutTrait;
 
     /**
      * Display the bulk edit page.
@@ -73,6 +78,16 @@ class BulkAssetsController extends Controller
             return redirect()->route('hardware.bulkcheckout.show');
         }
 
+        if ($request->input('bulk_actions') === 'checkin') {
+            $referer = request()->headers->get('referer');
+            if ($referer && parse_url($referer, PHP_URL_HOST) === parse_url(config('app.url'), PHP_URL_HOST)) {
+                redirect()->setIntendedUrl($referer);
+            }
+            $request->session()->flashInput(['selected_assets' => $asset_ids]);
+
+            return redirect()->route('hardware.bulkcheckin.show');
+        }
+
         if ($request->input('bulk_actions') === 'maintenance') {
             $request->session()->flashInput(['selected_assets' => $asset_ids]);
 
@@ -673,18 +688,25 @@ class BulkAssetsController extends Controller
                     ->with('error', trans('general.error_assets_already_checked_out'));
             }
 
-            // Prevent checking out assets across companies if FMCS enabled
-            if (Setting::getSettings()->full_multiple_companies_support && $target->company_id) {
-                $company_ids = $assets->pluck('company_id')->unique();
+            // Prevent checking out assets across companies if FMCS enabled.
+            if (Setting::getSettings()->full_multiple_companies_support) {
+                $company_ids = $assets->pluck('company_id')->filter()->unique();
 
-                // if there is more than one unique company id or the singular company id does not match
-                // then the checkout is invalid
-                if ($company_ids->count() > 1 || $company_ids->first() != $target->company_id) {
-                    // re-add the asset ids so the assets select is re-populated
-                    $request->session()->flashInput(['selected_assets' => $asset_ids]);
+                if ($company_ids->isNotEmpty()) {
+                    if ($company_ids->count() > 1) {
+                        // Selected assets span multiple companies; bulk checkout can't satisfy all of them.
+                        $mismatch = true;
+                    } else {
+                        // All assets share the same company; let the model enforce the checkout rules.
+                        $mismatch = ! $assets->first()->canCheckoutTo($target);
+                    }
 
-                    return redirect(route('hardware.bulkcheckout.show'))
-                        ->with('error', trans('general.error_user_company_multiple'));
+                    if ($mismatch) {
+                        $request->session()->flashInput(['selected_assets' => $asset_ids]);
+
+                        return redirect(route('hardware.bulkcheckout.show'))
+                            ->with('error', trans('general.error_user_company_multiple'));
+                    }
                 }
             }
 
@@ -759,6 +781,112 @@ class BulkAssetsController extends Controller
 
     }
 
+    /**
+     * Show Bulk Checkin Page
+     */
+    public function showCheckin(): View
+    {
+        $this->authorize('checkin', Asset::class);
+
+        $notAssigned = collect();
+
+        if (old('selected_assets') && is_array(old('selected_assets'))) {
+            $assets = Asset::withTrashed()->findMany(old('selected_assets'));
+
+            [$assigned, $notAssigned] = $assets->partition(function (Asset $asset) {
+                return $asset->assigned_to;
+            });
+
+            session()->flashInput(['selected_assets' => $assigned->pluck('id')->values()->toArray()]);
+        }
+
+        $do_not_change = ['' => trans('general.do_not_change')];
+        $status_label_list = $do_not_change + Helper::statusLabelList();
+
+        return view('hardware/bulk-checkin', [
+            'statusLabel_list' => $status_label_list,
+            'removed_assets' => $notAssigned,
+        ]);
+    }
+
+    /**
+     * Process Multiple Checkin Request
+     */
+    public function storeCheckin(Request $request): RedirectResponse
+    {
+        $this->authorize('checkin', Asset::class);
+
+        if (! is_array($request->input('selected_assets'))) {
+            return redirect()->route('hardware.bulkcheckin.show')->withInput()->with('error', trans('admin/hardware/message.multi-checkin.no_assets_selected'));
+        }
+
+        $asset_ids = array_filter($request->input('selected_assets'));
+
+        $assets = Asset::withTrashed()->findOrFail($asset_ids);
+
+        $checkin_at = date('Y-m-d H:i:s');
+        if ($request->filled('checkin_at') && $request->input('checkin_at') != date('Y-m-d')) {
+            $checkin_at = $request->input('checkin_at');
+        }
+
+        $errors = [];
+        $admin = auth()->user();
+
+        DB::transaction(function () use ($assets, $admin, $checkin_at, $request, &$errors) {
+            foreach ($assets as $asset) {
+                $this->authorize('checkin', $asset);
+
+                if (is_null($asset->assignedTo)) {
+                    continue;
+                }
+
+                $target = $asset->assignedTo;
+                $originalValues = $asset->getRawOriginal();
+
+                $asset->expected_checkin = null;
+                $asset->assignedTo()->disassociate($asset);
+                $asset->accepted = null;
+
+                if ($request->filled('status_id')) {
+                    $asset->status_id = $request->input('status_id');
+                }
+
+                $asset->location_id = $asset->rtd_location_id;
+                $asset->last_checkin = $checkin_at;
+
+                if ($request->boolean('checkin_licenses')) {
+                    $asset->licenseseats->each(function (LicenseSeat $seat) {
+                        $seat->update(['assigned_to' => null]);
+                    });
+                }
+
+                CheckoutAcceptance::pending()->whereHasMorph('checkoutable', [Asset::class], function (Builder $query) use ($asset) {
+                    $query->where('id', $asset->id);
+                })->get()->each->delete();
+
+                if ($asset->save()) {
+                    if ($request->boolean('checkin_child_assets')) {
+                        Asset::where('assigned_type', Asset::class)
+                            ->where('assigned_to', $asset->id)
+                            ->update(['location_id' => $asset->location_id]);
+                    }
+
+                    event(new CheckoutableCheckedIn($asset, $target, $admin, $request->input('note'), $checkin_at, $originalValues));
+                } else {
+                    $errors = array_merge_recursive($errors, $asset->getErrors()->toArray());
+                }
+            }
+        });
+
+        if (! $errors) {
+            return redirect()->intended(route('hardware.index'))->with('success', trans_choice('admin/hardware/message.multi-checkin.success', count($asset_ids)));
+        }
+
+        return redirect()->route('hardware.bulkcheckin.show')->withInput()
+            ->with('error', trans_choice('admin/hardware/message.multi-checkin.error', count($asset_ids)))
+            ->withErrors($errors);
+    }
+
     public function restore(Request $request): RedirectResponse
     {
         $this->authorize('update', Asset::class);

app/Http/Controllers/Auth/LoginController.php

@@ -106,15 +106,21 @@ class LoginController extends Controller
         if ($saml->isEnabled() && ! empty($samlData)) {
 
             try {
+
                 $user = $saml->samlLogin($samlData);
                 $notValidAfter = new \Carbon\Carbon(@$samlData['assertionNotOnOrAfter']);
                 if (\Carbon::now()->greaterThanOrEqualTo($notValidAfter)) {
                     abort(400, 'Expired SAML Assertion');
                 }
-                if (SamlNonce::where('nonce', @$samlData['nonce'])->count() > 0) {
-                    abort(400, 'Assertion has already been used');
+                try {
+                    SamlNonce::create([
+                        'nonce' => $samlData['nonce'],
+                        'not_valid_after' => $notValidAfter,
+                    ]);
+                } catch (\Exception $e) {
+                    \Log::error($e);
+                    abort(400, 'Assertion has already been used.');
                 }
-                Log::debug('okay, fine, this is a new nonce then. Good for you.');
                 if (! is_null($user)) {
                     Auth::login($user);
                 } else {
@@ -128,10 +134,6 @@ class LoginController extends Controller
                     $user->last_login = \Carbon::now();
                     $user->saveQuietly();
                 }
-                $s = new SamlNonce;
-                $s->nonce = @$samlData['nonce'];
-                $s->not_valid_after = $notValidAfter;
-                $s->save();
 
             } catch (\Exception $e) {
                 Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
@@ -433,7 +435,7 @@ class LoginController extends Controller
             $user->saveQuietly();
             $request->session()->put('2fa_authed', $user->id);
 
-            return redirect()->route('home')->with('success', trans('auth/message.signin.success'));
+            return redirect()->intended()->with('success', trans('auth/message.signin.success'));
         }
 
         return redirect()->route('two-factor')->with('error', trans('auth/message.two_factor.invalid_code'));

app/Http/Controllers/Auth/SamlController.php

@@ -74,7 +74,7 @@ class SamlController extends Controller
     public function login(Request $request)
     {
         $auth = $this->saml->getAuth();
-        $ssoUrl = $auth->login(null, [], false, false, false, false);
+        $ssoUrl = $auth->login(session()->get('url.intended'), [], false, false, false, false);
 
         return redirect()->away($ssoUrl);
     }
@@ -96,6 +96,7 @@ class SamlController extends Controller
         $saml = $this->saml;
         $auth = $saml->getAuth();
         $saml_exception = false;
+        session()->put('url.intended', str_replace(["\r", "\n"], '', $request->post('RelayState')));
         try {
             $auth->processResponse();
         } catch (\Exception $e) {

app/Http/Controllers/Components/ComponentCheckinController.php

@@ -43,7 +43,8 @@ class ComponentCheckinController extends Controller
             }
             $this->authorize('checkin', $component);
 
-            return view('components/checkin', compact('component_assets', 'component', 'asset'));
+            return view('components/checkin', compact('component_assets', 'component', 'asset'))
+                ->with('snipe_component', $component);
         }
 
         return redirect()->route('components.index')->with('error', trans('admin/components/messages.not_found'));

app/Http/Controllers/Components/ComponentCheckoutController.php

@@ -7,7 +7,6 @@ use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Models\Asset;
 use App\Models\Component;
-use App\Models\Setting;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
@@ -46,7 +45,8 @@ class ComponentCheckoutController extends Controller
                 }
 
                 // Return the checkout view
-                return view('components/checkout', compact('component'));
+                return view('components/checkout', compact('component'))
+                    ->with('snipe_component', $component);
             }
 
             // Invalid category
@@ -103,8 +103,12 @@ class ComponentCheckoutController extends Controller
         // Check if the asset exists
         $asset = Asset::find($request->input('asset_id'));
 
-        if ((Setting::getSettings()->full_multiple_companies_support) && $component->company_id !== $asset->company_id) {
-            return redirect()->route('components.checkout.show', $componentId)->with('error', trans('general.error_user_company'));
+        if (! $component->canCheckoutTo($asset)) {
+            return redirect()->route('components.checkout.show', $componentId)->with('error', trans('general.error_checkout_company_mismatch', [
+                'item' => trans('general.component').' "'.$component->name.'"',
+                'item_company' => $component->company?->name ?? trans('general.unassigned'),
+                'target' => trans('general.asset').' "'.$asset->display_name.'"',
+            ]));
         }
 
         $component->checkout_qty = $request->input('assigned_qty');

app/Http/Controllers/Components/ComponentsController.php

@@ -4,7 +4,8 @@ namespace App\Http\Controllers\Components;
 
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
-use App\Http\Requests\ImageUploadRequest;
+use App\Http\Requests\StoreComponentRequest;
+use App\Http\Requests\UpdateComponentRequest;
 use App\Models\Company;
 use App\Models\Component;
 use Illuminate\Auth\Access\AuthorizationException;
@@ -12,7 +13,6 @@ use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
-use Illuminate\Support\Facades\Validator;
 
 /**
  * This class controls all actions related to Components for
@@ -74,7 +74,7 @@ class ComponentsController extends Controller
      *
      * @throws AuthorizationException
      */
-    public function store(ImageUploadRequest $request)
+    public function store(StoreComponentRequest $request)
     {
         $this->authorize('create', Component::class);
         $component = new Component;
@@ -148,21 +148,10 @@ class ComponentsController extends Controller
      *
      * @since [v3.0]
      */
-    public function update(ImageUploadRequest $request, Component $component)
+    public function update(UpdateComponentRequest $request, Component $component)
     {
-        $min = $component->numCheckedOut();
-        $validator = Validator::make($request->all(), [
-            'qty' => "required|numeric|min:$min",
-        ]);
-
-        if ($validator->fails()) {
-            return redirect()->back()
-                ->withErrors($validator)
-                ->withInput();
-        }
-
         $this->authorize('update', $component);
-
+        
         // Update the component data
         $component->name = $request->input('name');
         $component->category_id = $request->input('category_id');

app/Http/Controllers/Consumables/ConsumableCheckoutController.php

@@ -96,6 +96,14 @@ class ConsumableCheckoutController extends Controller
             return redirect()->route('consumables.checkout.show', $consumable)->with('error', trans('admin/consumables/message.checkout.user_does_not_exist'))->withInput();
         }
 
+        if (! $consumable->canCheckoutTo($user)) {
+            return redirect()->back()->with('error', trans('general.error_checkout_company_mismatch', [
+                'item' => trans('general.consumable').' "'.$consumable->name.'"',
+                'item_company' => $consumable->company?->name ?? trans('general.unassigned'),
+                'target' => trans('general.user').' "'.$user->username.'"',
+            ]));
+        }
+
         // Update the consumable data
         $consumable->assigned_to = e($request->input('assigned_to'));
 

app/Http/Controllers/GoogleAuthController.php

@@ -54,6 +54,7 @@ class GoogleAuthController extends Controller
             Log::debug('Google user '.$socialUser->getEmail().' found in Snipe-IT');
             $user->update([
                 'avatar' => $socialUser->avatar,
+                'last_login' => \Carbon::now(),
             ]);
 
             Auth::login($user, true);

app/Http/Controllers/Kits/CheckoutKitController.php

@@ -2,8 +2,8 @@
 
 namespace App\Http\Controllers\Kits;
 
-use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
+use App\Http\Traits\CheckInOutTrait;
 use App\Models\Asset;
 use App\Models\PredefinedKit;
 use App\Models\User;
@@ -23,7 +23,7 @@ class CheckoutKitController extends Controller
 {
     public $kitService;
 
-    use CheckInOutRequest;
+    use CheckInOutTrait;
 
     public function __construct(PredefinedKitCheckoutService $kitService)
     {
@@ -53,6 +53,8 @@ class CheckoutKitController extends Controller
      */
     public function store(Request $request, $kit_id)
     {
+        $this->authorize('checkout', Asset::class);
+
         $user_id = e($request->input('user_id'));
         if (is_null($user = User::find($user_id))) {
             return redirect()->back()->with('error', trans('admin/users/message.user_not_found'));

app/Http/Controllers/Licenses/BulkLicensesController.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace App\Http\Controllers\Licenses;
+
+use App\Http\Controllers\Controller;
+use App\Models\License;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Gate;
+
+class BulkLicensesController extends Controller
+{
+    public function destroy(Request $request)
+    {
+        $this->authorize('delete', License::class);
+
+        $errors = [];
+        $success_count = 0;
+
+        foreach ($request->input('ids', []) as $id) {
+            $license = License::find($id);
+
+            if (is_null($license)) {
+                $errors[] = trans('admin/licenses/message.does_not_exist');
+
+                continue;
+            }
+
+            if (! Gate::allows('delete', $license)) {
+                $errors[] = trans('general.insufficient_permissions');
+
+                continue;
+            }
+
+            if ($license->assigned_seats_count > 0) {
+                $errors[] = trans('admin/licenses/message.delete.bulk_checkout_warning', ['license_name' => $license->name]);
+
+                continue;
+            }
+
+            // Since assigned_seats_count == 0, all seats already have assigned_to and asset_id as null,
+            // so this update is effectively a no-op. It mirrors the single destroy() and is kept as a
+            // safety net. Bypassing Eloquent events here is intentional and safe — there is nothing
+            // assigned to trigger events on. Prior checkout/checkin history is preserved in action_log
+            // (keyed by LicenseSeat item_type/item_id) and remains accessible even after soft-delete.
+            DB::table('license_seats')
+                ->where('license_id', $license->id)
+                ->update(['assigned_to' => null, 'asset_id' => null]);
+
+            $license->licenseseats()->delete();
+            $license->delete();
+            $success_count++;
+        }
+
+        if (count($errors) > 0) {
+            if ($success_count > 0) {
+                return redirect()->route('licenses.index')
+                    ->with('success', trans_choice('admin/licenses/message.delete.partial_success', $success_count, ['count' => $success_count]))
+                    ->with('multi_error_messages', $errors);
+            }
+
+            return redirect()->route('licenses.index')->with('multi_error_messages', $errors);
+        }
+
+        return redirect()->route('licenses.index')->with('success', trans('admin/licenses/message.delete.bulk_success'));
+    }
+}

app/Http/Controllers/Licenses/LicenseCheckinController.php

@@ -13,6 +13,7 @@ use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Validator;
 
@@ -35,7 +36,7 @@ class LicenseCheckinController extends Controller
     {
         // Check if the asset exists
         $license = License::find($licenseSeat->license_id);
-        $this->authorize('checkout', $license);
+        $this->authorize('checkin', $license);
 
         return view('licenses/checkin', compact('licenseSeat'))->with('backto', $backTo);
     }
@@ -69,7 +70,7 @@ class LicenseCheckinController extends Controller
             return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.checkin.error'));
         }
 
-        $this->authorize('checkout', $license);
+        $this->authorize('checkin', $license);
 
         // Declare the rules for the form validation
         $rules = [
@@ -127,10 +128,45 @@ class LicenseCheckinController extends Controller
      * @see LicenseCheckinController::create() method that provides the form view
      * @since [v6.1.1]
      *
-     * @return RedirectResponse
-     *
      * @throws AuthorizationException
      */
+    public function bulkCheckinSelected(Request $request): RedirectResponse
+    {
+        $this->authorize('checkin', License::class);
+
+        $seatIds = $request->input('ids', []);
+
+        if (empty($seatIds)) {
+            return redirect()->back()->with('warning', trans('admin/licenses/general.bulk.checkin_selected.no_seats_selected'));
+        }
+
+        $seats = LicenseSeat::whereIn('id', $seatIds)
+            ->where(function ($query) {
+                $query->whereNotNull('assigned_to')->orWhereNotNull('asset_id');
+            })
+            ->with('license', 'user', 'asset')
+            ->get();
+
+        $count = 0;
+        foreach ($seats as $seat) {
+            if (! $seat->license || ! Gate::allows('checkin', $seat->license)) {
+                continue;
+            }
+            $target = $seat->user ?? $seat->asset;
+            $seat->assigned_to = null;
+            $seat->asset_id = null;
+            if (! $seat->license->reassignable) {
+                $seat->unreassignable_seat = true;
+            }
+            if ($seat->save()) {
+                event(new CheckoutableCheckedIn($seat, $target, auth()->user(), null));
+                $count++;
+            }
+        }
+
+        return redirect()->back()->with('success', trans_choice('admin/licenses/general.bulk.checkin_selected.success', $count, ['count' => $count]));
+    }
+
     public function bulkCheckin(Request $request, $licenseId)
     {
 

app/Http/Controllers/Licenses/LicenseCheckoutController.php

@@ -10,11 +10,13 @@ use App\Models\Asset;
 use App\Models\CheckoutAcceptance;
 use App\Models\License;
 use App\Models\LicenseSeat;
+use App\Models\Setting;
 use App\Models\User;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\Exceptions\HttpResponseException;
 use Illuminate\Http\RedirectResponse;
+use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Log;
 
 class LicenseCheckoutController extends Controller
@@ -94,23 +96,53 @@ class LicenseCheckoutController extends Controller
             return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.checkout.license_is_inactive'));
         }
 
-        $licenseSeat = $this->findLicenseSeatToCheckout($license, $seatId);
-        $licenseSeat->created_by = auth()->id();
-        $licenseSeat->notes = $request->input('notes');
+        if (Setting::getSettings()->full_multiple_companies_support == '1') {
+            if ($request->filled('asset_id')) {
+                $fmcsTarget = Asset::find($request->input('asset_id'));
+                if ($fmcsTarget && ! $license->canCheckoutTo($fmcsTarget)) {
+                    return redirect()->route('licenses.index')->with('error', trans('general.error_checkout_company_mismatch', [
+                        'item' => trans('general.license').' "'.$license->name.'"',
+                        'item_company' => $license->company?->name ?? trans('general.unassigned'),
+                        'target' => trans('general.asset').' "'.$fmcsTarget->display_name.'"',
+                    ]));
+                }
+            } elseif ($request->filled('assigned_to')) {
+                $fmcsTarget = User::find($request->input('assigned_to'));
+                if ($fmcsTarget && ! $license->canCheckoutTo($fmcsTarget)) {
+                    return redirect()->route('licenses.index')->with('error', trans('general.error_checkout_company_mismatch', [
+                        'item' => trans('general.license').' "'.$license->name.'"',
+                        'item_company' => $license->company?->name ?? trans('general.unassigned'),
+                        'target' => trans('general.user').' "'.$fmcsTarget->username.'"',
+                    ]));
+                }
+            }
+        }
+
+        $licenseSeat = null;
+        $checkoutTarget = null;
+
+        DB::transaction(function () use ($request, $license, $seatId, &$licenseSeat, &$checkoutTarget): void {
+            $licenseSeat = $this->findLicenseSeatToCheckout($license, $seatId, lock: true);
+            $licenseSeat->created_by = auth()->id();
+            $licenseSeat->notes = $request->input('notes');
+
+            if ($request->filled('asset_id')) {
+                $checkoutTarget = $this->checkoutToAsset($licenseSeat);
+            } elseif ($request->filled('assigned_to')) {
+                $checkoutTarget = $this->checkoutToUser($licenseSeat);
+            }
+        });
 
         if ($request->filled('asset_id')) {
             session()->put(['checkout_to_type' => 'asset']);
-            $checkoutTarget = $this->checkoutToAsset($licenseSeat);
             $request->request->add(['assigned_asset' => $checkoutTarget->id]);
             session()->put([
                 'redirect_option' => $request->input('redirect_option'),
                 'checkout_to_type' => 'asset',
                 'sign_in_place' => $request->boolean('sign_in_place'),
             ]);
-
         } elseif ($request->filled('assigned_to')) {
             session()->put(['checkout_to_type' => 'user']);
-            $checkoutTarget = $this->checkoutToUser($licenseSeat);
             $request->request->add(['assigned_user' => $checkoutTarget->id]);
             session()->put([
                 'redirect_option' => $request->input('redirect_option'),
@@ -156,9 +188,11 @@ class LicenseCheckoutController extends Controller
         return redirect()->route('licenses.index')->with('error', trans('Something went wrong handling this checkout.'));
     }
 
-    protected function findLicenseSeatToCheckout($license, $seatId)
+    protected function findLicenseSeatToCheckout($license, $seatId, bool $lock = false)
     {
-        $licenseSeat = LicenseSeat::find($seatId) ?? $license->freeSeat();
+        $licenseSeat = $seatId
+            ? LicenseSeat::where('id', $seatId)->when($lock, fn ($q) => $q->lockForUpdate())->first()
+            : $license->freeSeat(lock: $lock);
 
         if (! $licenseSeat) {
             if ($seatId) {
@@ -229,14 +263,10 @@ class LicenseCheckoutController extends Controller
 
         Log::debug('Checking out '.$licenseId.' via bulk');
         $license = License::findOrFail($licenseId);
-        $this->authorize('checkin', $license);
-        $avail_count = $license->getAvailSeatsCountAttribute();
+        $this->authorize('checkout', $license);
 
-        $users = User::whereNull('deleted_at')->where('autoassign_licenses', '=', 1)->with('licenses')->get();
-        Log::debug($avail_count.' will be assigned');
-
-        if ($users->count() > $avail_count) {
-            Log::debug('You do not have enough free seats to complete this task, so we will check out as many as we can. ');
+        if ($license->isInactive()) {
+            return redirect()->back()->with('error', trans('admin/licenses/message.checkout.license_is_inactive'));
         }
 
         // If the license is valid, check that there is an available seat
@@ -244,6 +274,19 @@ class LicenseCheckoutController extends Controller
             return redirect()->back()->with('error', trans('admin/licenses/general.bulk.checkout_all.error_no_seats'));
         }
 
+        $avail_count = $license->getAvailSeatsCountAttribute();
+
+        $usersQuery = User::whereNull('deleted_at')->where('autoassign_licenses', '=', 1)->with('licenses');
+        if (Setting::getSettings()->full_multiple_companies_support && $license->company_id) {
+            $usersQuery->where('company_id', '=', $license->company_id);
+        }
+        $users = $usersQuery->get();
+        Log::debug($avail_count.' will be assigned');
+
+        if ($users->count() > $avail_count) {
+            Log::debug('You do not have enough free seats to complete this task, so we will check out as many as we can. ');
+        }
+
         $assigned_count = 0;
 
         foreach ($users as $user) {

app/Http/Controllers/Licenses/LicensesController.php

@@ -12,6 +12,7 @@ use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
+use League\Csv\EscapeFormula;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 
 /**
@@ -388,6 +389,8 @@ class LicensesController extends Controller
 
                     fputcsv($handle, $headers);
 
+                    $formatter = new EscapeFormula('`');
+
                     foreach ($licenses as $license) {
                         // Add a new row with data
                         $values = [
@@ -419,7 +422,14 @@ class LicensesController extends Controller
                             $license->created_at,
                         ];
 
-                        fputcsv($handle, $values);
+                        // CSV_ESCAPE_FORMULAS is set to false in the .env
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $values);
+
+                            // CSV_ESCAPE_FORMULAS is set to true or is not set in the .env
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($values));
+                        }
                     }
                 });
 

app/Http/Controllers/LocationsController.php

@@ -89,19 +89,24 @@ class LocationsController extends Controller
         $location->fax = request('fax');
         $location->tag_color = $request->input('tag_color');
         $location->notes = $request->input('notes');
-        $location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
-
-        // Only scope the location if the setting is enabled
         if (Setting::getSettings()->scope_locations_fmcs) {
             $location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
-            // check if parent is set and has a different company
-            if ($location->parent_id && Location::find($location->parent_id)->company_id != $location->company_id) {
-                return redirect()->back()->withInput()->withInput()->with('error', 'different company than parent');
-            }
         } else {
             $location->company_id = $request->input('company_id');
         }
 
+        // Parent company check applies whenever FMCS is on, independent of scope_locations_fmcs.
+        if (Setting::getSettings()->full_multiple_companies_support) {
+            $parent = $location->parent_id ? Location::find($location->parent_id) : null;
+            if ($parent && $parent->company_id != $location->company_id) {
+                return redirect()->back()->withInput()->with('error', trans('general.error_location_parent_company', [
+                    'parent' => $parent->name,
+                    'parent_company' => $parent->company?->name ?? trans('general.unassigned'),
+                    'location_company' => $location->company?->name ?? trans('general.unassigned'),
+                ]));
+            }
+        }
+
         if ($request->has('use_cloned_image')) {
             $cloned_model_img = Location::select('image')->find($request->input('clone_image_from_id'));
             if ($cloned_model_img) {
@@ -171,17 +176,34 @@ class LocationsController extends Controller
         $location->tag_color = $request->input('tag_color');
         $location->notes = $request->input('notes');
 
-        // Only scope the location if the setting is enabled
         if (Setting::getSettings()->scope_locations_fmcs) {
             $location->company_id = Company::getIdForCurrentUser($request->input('company_id'));
             // check if there are related objects with different company
-            if (Helper::test_locations_fmcs(false, $location->id, $location->company_id)) {
-                return redirect()->back()->withInput()->withInput()->with('error', 'error scoped locations');
+            if ($mismatched = Helper::test_locations_fmcs(false, $location->id, $location->company_id)) {
+                $first = $mismatched[0];
+
+                return redirect()->back()->withInput()->with('error', trans('general.error_location_scoped_items', [
+                    'item_type' => trans('general.'.strtolower($first[0])),
+                    'item_name' => $first[2],
+                    'item_company' => $first[5] ?? trans('general.unassigned'),
+                ]));
             }
         } else {
             $location->company_id = $request->input('company_id');
         }
 
+        // Parent company check applies whenever FMCS is on, independent of scope_locations_fmcs.
+        if (Setting::getSettings()->full_multiple_companies_support) {
+            $parent = $location->parent_id ? Location::find($location->parent_id) : null;
+            if ($parent && $parent->company_id != $location->company_id) {
+                return redirect()->back()->withInput()->with('error', trans('general.error_location_parent_company', [
+                    'parent' => $parent->name,
+                    'parent_company' => $parent->company?->name ?? trans('general.unassigned'),
+                    'location_company' => $location->company?->name ?? trans('general.unassigned'),
+                ]));
+            }
+        }
+
         $location = $request->handleImages($location);
 
         if ($location->save()) {
@@ -277,7 +299,7 @@ class LocationsController extends Controller
                 ->with('assignedAssets', $location->assignedAssets)
                 ->with('accessories', $location->accessories)
                 ->with('assignedAccessories', $location->assignedAccessories)
-                ->with('users', $location->users)
+                ->with('users', $location->users()->with('companies')->get())
                 ->with('location', $location)
                 ->with('consumables', $location->consumables)
                 ->with('components', $location->components)
@@ -297,7 +319,7 @@ class LocationsController extends Controller
                 ->with('assignedAssets', $location->assignedAssets)
                 ->with('accessories', $location->accessories)
                 ->with('assignedAccessories', $location->assignedAccessories)
-                ->with('users', $location->users)
+                ->with('users', $location->users()->with('companies')->get())
                 ->with('location', $location)
                 ->with('consumables', $location->consumables)
                 ->with('components', $location->components)

app/Http/Controllers/MaintenanceTypesController.php

@@ -0,0 +1,72 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\MaintenanceType;
+use Illuminate\Contracts\View\View;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+
+class MaintenanceTypesController extends Controller
+{
+    public function index(): View
+    {
+        $this->authorize('index', MaintenanceType::class);
+
+        return view('maintenance-types.index');
+    }
+
+    public function create(): View
+    {
+        $this->authorize('create', MaintenanceType::class);
+
+        return view('maintenance-types.edit')->with('item', new MaintenanceType);
+    }
+
+    public function store(Request $request): RedirectResponse
+    {
+        $this->authorize('create', MaintenanceType::class);
+
+        $type = new MaintenanceType;
+        $type->name = $request->input('name');
+        $type->created_by = auth()->id();
+
+        if ($type->save()) {
+            return redirect()->route('maintenance-types.index')
+                ->with('success', trans('admin/maintenance_types/message.create.success'));
+        }
+
+        return redirect()->back()->withInput()->withErrors($type->getErrors());
+    }
+
+    public function edit(MaintenanceType $maintenanceType): View
+    {
+        $this->authorize('update', $maintenanceType);
+
+        return view('maintenance-types.edit')->with('item', $maintenanceType);
+    }
+
+    public function update(Request $request, MaintenanceType $maintenanceType): RedirectResponse
+    {
+        $this->authorize('update', $maintenanceType);
+
+        $maintenanceType->name = $request->input('name');
+
+        if ($maintenanceType->save()) {
+            return redirect()->route('maintenance-types.index')
+                ->with('success', trans('admin/maintenance_types/message.update.success'));
+        }
+
+        return redirect()->back()->withInput()->withErrors($maintenanceType->getErrors());
+    }
+
+    public function destroy(MaintenanceType $maintenanceType): RedirectResponse
+    {
+        $this->authorize('delete', $maintenanceType);
+
+        $maintenanceType->delete();
+
+        return redirect()->route('maintenance-types.index')
+            ->with('success', trans('admin/maintenance_types/message.delete.success'));
+    }
+}

app/Http/Controllers/MaintenancesController.php

@@ -2,13 +2,19 @@
 
 namespace App\Http\Controllers;
 
+use App\Enums\ActionType;
 use App\Http\Requests\ImageUploadRequest;
+use App\Http\Requests\UploadFileRequest;
+use App\Models\Actionlog;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Maintenance;
-use Carbon\Carbon;
+use App\Models\MaintenanceType;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\Validator;
 
 /**
  * This controller handles all actions related to Asset Maintenance for
@@ -54,6 +60,7 @@ class MaintenancesController extends Controller
 
         return view('maintenances/edit')
             ->with('maintenanceType', Maintenance::getImprovementOptions())
+            ->with('maintenanceTypes', MaintenanceType::orderBy('name')->get())
             ->with('asset', $asset)
             ->with('item', new Maintenance);
     }
@@ -72,12 +79,17 @@ class MaintenancesController extends Controller
     public function store(ImageUploadRequest $request): RedirectResponse
     {
         $this->authorize('update', Asset::class);
+        $this->validateUploadedFiles($request);
 
         $assets = Asset::whereIn('id', $request->input('selected_assets'))->get();
 
         // Loop through the selected assets
         foreach ($assets as $asset) {
 
+            if (! Company::isCurrentUserHasAccess($asset)) {
+                continue;
+            }
+
             $maintenance = new Maintenance;
             $maintenance->supplier_id = $request->input('supplier_id');
             $maintenance->is_warranty = $request->input('is_warranty');
@@ -88,26 +100,21 @@ class MaintenancesController extends Controller
             // Save the asset maintenance data
             $maintenance->asset_id = $asset->id;
             $maintenance->asset_maintenance_type = $request->input('asset_maintenance_type');
+            $maintenance->maintenance_type_id = $request->input('maintenance_type_id');
             $maintenance->name = $request->input('name');
             $maintenance->start_date = $request->input('start_date');
             $maintenance->completion_date = $request->input('completion_date');
+            $maintenance->responsible_party_id = $request->input('responsible_party_id') ?: auth()->id();
             $maintenance->created_by = auth()->id();
 
-            if (($maintenance->completion_date !== null)
-                && ($maintenance->start_date !== '')
-                && ($maintenance->start_date !== '0000-00-00')
-            ) {
-                $startDate = Carbon::parse($maintenance->start_date);
-                $completionDate = Carbon::parse($maintenance->completion_date);
-                $maintenance->asset_maintenance_time = (int) $completionDate->diffInDays($startDate, true);
-            }
-
-            $maintenance = $request->handleImages($maintenance);
+            $request->handleImages($maintenance);
 
             // Was the asset maintenance created?
             if (! $maintenance->save()) {
                 return redirect()->back()->withInput()->withErrors($maintenance->getErrors());
             }
+
+            $this->storeUploadedFiles($request, $maintenance);
         }
 
         return redirect()->route('maintenances.index')
@@ -135,6 +142,7 @@ class MaintenancesController extends Controller
             ->with('selected_assets', $maintenance->asset->pluck('id')->toArray())
             ->with('asset_ids', request()->input('asset_ids', []))
             ->with('maintenanceType', Maintenance::getImprovementOptions())
+            ->with('maintenanceTypes', MaintenanceType::orderBy('name')->get())
             ->with('item', $maintenance);
     }
 
@@ -156,37 +164,24 @@ class MaintenancesController extends Controller
     {
         $this->authorize('update', Asset::class);
         $this->authorize('update', $maintenance->asset);
+        $this->validateUploadedFiles($request);
 
         $maintenance->supplier_id = $request->input('supplier_id');
         $maintenance->is_warranty = $request->input('is_warranty', 0);
         $maintenance->cost = $request->input('cost');
         $maintenance->notes = $request->input('notes');
         $maintenance->asset_maintenance_type = $request->input('asset_maintenance_type');
+        $maintenance->maintenance_type_id = $request->input('maintenance_type_id');
         $maintenance->name = $request->input('name');
         $maintenance->start_date = $request->input('start_date');
         $maintenance->completion_date = $request->input('completion_date');
+        $maintenance->responsible_party_id = $request->input('responsible_party_id');
         $maintenance->url = $request->input('url');
-
-        // Todo - put this in a getter/setter?
-        if (($maintenance->completion_date == null)) {
-            if (($maintenance->asset_maintenance_time !== 0)
-              || (! is_null($maintenance->asset_maintenance_time))
-            ) {
-                $maintenance->asset_maintenance_time = null;
-            }
-        }
-
-        if (($maintenance->completion_date !== null)
-          && ($maintenance->start_date !== '')
-          && ($maintenance->start_date !== '0000-00-00')
-        ) {
-            $startDate = Carbon::parse($maintenance->start_date);
-            $completionDate = Carbon::parse($maintenance->completion_date);
-            $maintenance->asset_maintenance_time = (int) $completionDate->diffInDays($startDate, true);
-        }
-        $maintenance = $request->handleImages($maintenance);
+        $request->handleImages($maintenance);
 
         if ($maintenance->save()) {
+            $this->storeUploadedFiles($request, $maintenance);
+
             return redirect()->route('maintenances.index')
                 ->with('success', trans('admin/maintenances/message.edit.success'));
         }
@@ -194,6 +189,86 @@ class MaintenancesController extends Controller
         return redirect()->back()->withInput()->withErrors($maintenance->getErrors());
     }
 
+    /**
+     * Stores any generic file uploads submitted from the maintenance form.
+     */
+    private function storeUploadedFiles(ImageUploadRequest $request, Maintenance $maintenance): void
+    {
+        if (! $request->hasFile('file')) {
+            return;
+        }
+
+        $objectType = 'maintenances';
+        $storagePath = self::$map_storage_path[$objectType];
+
+        if (! Storage::exists($storagePath)) {
+            Storage::makeDirectory($storagePath, 775);
+        }
+
+        $uploadFileRequest = app(UploadFileRequest::class);
+
+        foreach ((array) $request->file('file') as $file) {
+            if (! $file) {
+                continue;
+            }
+
+            $fileName = $uploadFileRequest->handleFile(
+                $storagePath,
+                self::$map_file_prefix[$objectType].'-'.$maintenance->id,
+                $file
+            );
+
+            $maintenance->logUpload($fileName, $request->input('file_notes'));
+        }
+    }
+
+    /**
+     * Validate generic file uploads with the shared UploadFileRequest rules.
+     */
+    private function validateUploadedFiles(ImageUploadRequest $request): void
+    {
+        if (! $request->hasFile('file')) {
+            return;
+        }
+
+        $uploadFileRequest = app(UploadFileRequest::class);
+
+        Validator::make(
+            array_merge($request->all(), ['file' => $request->file('file')]),
+            $uploadFileRequest->rules()
+        )->validate();
+    }
+
+    /**
+     * Mark a maintenance record as complete, logging who completed it and when.
+     */
+    public function complete(Request $request, Maintenance $maintenance): RedirectResponse
+    {
+        $this->authorize('update', $maintenance->asset);
+
+        if ($maintenance->completed_at) {
+            return redirect()->back()
+                ->with('warning', trans('admin/maintenances/form.already_complete'));
+        }
+
+        $maintenance->completed_at = now();
+        $maintenance->completed_by = auth()->id();
+        $maintenance->asset_maintenance_time = (int) $maintenance->created_at->diffInDays(now(), true);
+        $maintenance->saveQuietly();
+
+        $logAction = new Actionlog;
+        $logAction->item_type = Maintenance::class;
+        $logAction->item_id = $maintenance->id;
+        $logAction->target_type = Asset::class;
+        $logAction->target_id = $maintenance->asset_id;
+        $logAction->created_by = auth()->id();
+        $logAction->note = $request->input('note');
+        $logAction->logaction(ActionType::MaintenanceComplete);
+
+        return redirect()->back()
+            ->with('success', trans('admin/maintenances/message.complete.success'));
+    }
+
     /**
      *  Delete an asset maintenance
      *

app/Http/Controllers/ModalController.php

@@ -30,6 +30,7 @@ class ModalController extends Controller
             'kit-consumable',
             'kit-accessory',
             'location',
+            'maintenance-type',
             'manufacturer',
             'model',
             'statuslabel',

app/Http/Controllers/NotesController.php

@@ -4,13 +4,15 @@ namespace App\Http\Controllers;
 
 use App\Models\Actionlog;
 use App\Models\Asset;
+use App\Models\Maintenance;
+use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rule;
 
 class NotesController extends Controller
 {
-    public function store(Request $request)
+    public function store(Request $request): RedirectResponse
     {
         $this->authorize('update', Asset::class);
 
@@ -19,13 +21,19 @@ class NotesController extends Controller
             'note' => 'required|string|max:50000',
             'type' => [
                 'required',
-                Rule::in(['asset']),
+                Rule::in(['asset', 'maintenance']),
             ],
         ]);
 
-        $item = Asset::findOrFail($validated['id']);
-
-        $this->authorize('update', $item);
+        if ($validated['type'] === 'maintenance') {
+            $item = Maintenance::findOrFail($validated['id']);
+            $this->authorize('update', $item->asset);
+            $redirect = redirect()->route('maintenances.show', $validated['id']);
+        } else {
+            $item = Asset::findOrFail($validated['id']);
+            $this->authorize('update', $item);
+            $redirect = redirect()->route('hardware.show', $validated['id']);
+        }
 
         $logaction = new Actionlog;
         $logaction->item_id = $item->id;
@@ -34,9 +42,6 @@ class NotesController extends Controller
         $logaction->created_by = Auth::id();
         $logaction->logaction('note added');
 
-        return redirect()
-            ->route('hardware.show', $validated['id'])
-            ->withFragment('history')
-            ->with('success', trans('general.note_added'));
+        return $redirect->withFragment('notes')->with('success', trans('general.note_added'));
     }
 }

app/Http/Controllers/ProfileController.php

@@ -8,6 +8,7 @@ use App\Models\Asset;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\CurrentInventory;
+use App\Rules\CssColor;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
@@ -63,6 +64,12 @@ class ProfileController extends Controller
 
         $user->enable_sounds = $request->input('enable_sounds', false);
         $user->enable_confetti = $request->input('enable_confetti', false);
+        $request->validate([
+            'link_light_color' => ['nullable', new CssColor],
+            'link_dark_color' => ['nullable', new CssColor],
+            'nav_link_color' => ['nullable', new CssColor],
+        ]);
+
         $user->link_light_color = $request->input('link_light_color', '#296282');
         $user->link_dark_color = $request->input('link_dark_color', '#296282');
         $user->nav_link_color = $request->input('nav_link_color', '#FFFFFF');
@@ -211,14 +218,19 @@ class ProfileController extends Controller
      */
     public function printInventory(): View
     {
-        $show_users = User::where('id', auth()->user()->id)->get();
+        $userId = auth()->id();
 
-        return view('users/print')
-            ->with('assets', auth()->user()->assets())
-            ->with('licenses', auth()->user()->licenses()->get())
-            ->with('accessories', auth()->user()->accessories()->get())
-            ->with('consumables', auth()->user()->consumables()->get())
-            ->with('users', $show_users)
+        $show_user = User::withInventoryRelations($userId)->first();
+
+        $indirectItemsCount =
+            $show_user->assets->flatMap->assignedAssets->count()
+            + $show_user->assets->flatMap->components->count()
+            + $show_user->assets->flatMap->licenses->count()
+            + $show_user->assets->flatMap->assignedAccessories->count();
+
+        return view('users.print')
+            ->with('users', [$show_user])
+            ->with('indirectItemsCount', $indirectItemsCount)
             ->with('settings', Setting::getSettings());
     }
 

app/Http/Controllers/QrCodeController.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Helpers\Helper;
+use App\Models\Setting;
+use Com\Tecnick\Barcode\Barcode;
+use Illuminate\Http\Response;
+use Symfony\Component\HttpFoundation\BinaryFileResponse;
+
+class QrCodeController extends Controller
+{
+    public static $map_show_route = [
+        'accessories' => 'accessories.show',
+        'assets' => 'hardware.show',
+        'companies' => 'companies.show',
+        'components' => 'components.show',
+        'consumables' => 'consumables.show',
+        'hardware' => 'hardware.show',
+        'licenses' => 'licenses.show',
+        'locations' => 'locations.show',
+        'models' => 'models.show',
+        'users' => 'users.show',
+    ];
+
+    public function show($object_type, $id): Response|BinaryFileResponse|string|bool
+    {
+        $settings = Setting::getSettings();
+
+        if ($settings->label2_2d_type === 'none') {
+            return false;
+        }
+
+        if (! array_key_exists($object_type, self::$map_show_route)) {
+            return $object_type.' is not a valid type.';
+        }
+
+        $object = self::$map_object_type[$object_type]::withTrashed()->find($id);
+
+        if (! $object) {
+            return 'That item is invalid';
+        }
+
+        $this->authorize('view', $object);
+
+        $size = Helper::barcodeDimensions($settings->label2_2d_type);
+        $qr_file = public_path().'/uploads/barcodes/qr-'.str_slug($object_type).'-'.str_slug($id).'.png';
+
+        if (file_exists($qr_file)) {
+            return response()->file($qr_file, ['Content-type' => 'image/png']);
+        }
+
+        $barcode = new Barcode;
+        $barcode_obj = $barcode->getBarcodeObj(
+            $settings->label2_2d_type,
+            route(self::$map_show_route[$object_type], $id),
+            $size['height'],
+            $size['width'],
+            'black',
+            [-2, -2, -2, -2]
+        );
+        file_put_contents($qr_file, $barcode_obj->getPngData());
+
+        return response($barcode_obj->getPngData())->header('Content-type', 'image/png');
+    }
+}

app/Http/Controllers/ReportsController.php

@@ -36,8 +36,6 @@ use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Mail;
 use League\Csv\EscapeFormula;
-use League\Csv\Reader;
-use League\Csv\Writer;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 
 /**
@@ -56,6 +54,31 @@ class ReportsController extends Controller
         parent::__construct();
     }
 
+    public function index(): View
+    {
+        $this->authorize('reports.view');
+        $settings = Setting::getSettings();
+
+        $audit_alert_count = Asset::DueOrOverdueForAudit($settings)->count();
+        $checkin_alert_count = Asset::DueOrOverdueForCheckin($settings)->count();
+        // CheckoutAcceptance has no company_id column; scope through the checkoutable
+        // relationship so each type's CompanyableTrait global scope is applied.
+        $pending_acceptance_count = CheckoutAcceptance::pending()
+            ->whereHasMorph('checkoutable', [Asset::class, LicenseSeat::class, Accessory::class, Component::class, Consumable::class])
+            ->count();
+        $licenses_low_count = License::withCount(['freeSeats as free_seats_count'])
+            ->get()
+            ->filter(fn ($l) => $l->free_seats_count <= 0)
+            ->count();
+
+        return view('reports/index', compact(
+            'audit_alert_count',
+            'checkin_alert_count',
+            'pending_acceptance_count',
+            'licenses_low_count',
+        ));
+    }
+
     /**
      * Returns a view that displays the accessories report.
      *
@@ -80,36 +103,46 @@ class ReportsController extends Controller
      * @see ManufacturersController::getDatatable() method that generates the JSON response
      * @since [v1.0]
      */
-    public function exportAccessoryReport(): Response
+    public function exportAccessoryReport(): StreamedResponse
     {
         $this->authorize('reports.view');
-        $accessories = Accessory::orderBy('created_at', 'DESC')->get();
 
-        $rows = [];
-        $header = [
-            trans('admin/accessories/table.title'),
-            trans('admin/accessories/general.accessory_category'),
-            trans('admin/accessories/general.total'),
-            trans('admin/accessories/general.remaining'),
-        ];
-        $header = array_map('trim', $header);
-        $rows[] = implode(', ', $header);
+        $response = new StreamedResponse(function () {
+            $handle = fopen('php://output', 'w');
 
-        // Row per accessory
-        foreach ($accessories as $accessory) {
-            $row = [];
-            $row[] = e($accessory->accessory_name);
-            $row[] = e($accessory->accessory_category);
-            $row[] = e($accessory->total);
-            $row[] = e($accessory->remaining);
+            $header = [
+                trans('admin/accessories/table.title'),
+                trans('admin/accessories/general.accessory_category'),
+                trans('admin/accessories/general.total'),
+                trans('admin/accessories/general.remaining'),
+            ];
+            fputcsv($handle, $header);
 
-            $rows[] = implode(',', $row);
-        }
+            $formatter = new EscapeFormula('`');
 
-        $csv = implode("\n", $rows);
-        $response = response()->make($csv, 200);
-        $response->header('Content-Type', 'text/csv');
-        $response->header('Content-disposition', 'attachment;filename=report.csv');
+            Accessory::with('category')->orderBy('created_at', 'DESC')
+                ->chunk(500, function ($accessories) use ($handle, $formatter) {
+                    foreach ($accessories as $accessory) {
+                        $row = [
+                            $accessory->name,
+                            $accessory->category?->name,
+                            $accessory->qty,
+                            $accessory->numRemaining(),
+                        ];
+
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $row);
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($row));
+                        }
+                    }
+                });
+
+            fclose($handle);
+        }, 200, [
+            'Content-Type' => 'text/csv',
+            'Content-Disposition' => 'attachment; filename="accessories-report-'.date('Y-m-d-his').'.csv"',
+        ]);
 
         return $response;
     }
@@ -138,74 +171,80 @@ class ReportsController extends Controller
      *
      * @since [v1.0]
      */
-    public function exportDeprecationReport(): Response
+    public function exportDeprecationReport(): StreamedResponse
     {
         $this->authorize('reports.view');
-        // Grab all the assets
-        $assets = Asset::with('model', 'assignedTo', 'status', 'defaultLoc', 'assetlog')
-            ->orderBy('created_at', 'DESC')->get();
 
-        $csv = Writer::createFromFileObject(new \SplTempFileObject);
-        $csv->setOutputBOM(Reader::BOM_UTF16_BE);
+        $response = new StreamedResponse(function () {
+            $handle = fopen('php://output', 'w');
+            $formatter = new EscapeFormula('`');
 
-        $rows = [];
+            $header = [
+                trans('admin/hardware/table.asset_tag'),
+                trans('admin/hardware/table.title'),
+                trans('admin/hardware/table.serial'),
+                trans('admin/hardware/table.checkoutto'),
+                trans('admin/hardware/table.location'),
+                trans('admin/hardware/table.purchase_date'),
+                trans('admin/hardware/table.purchase_cost'),
+                trans('admin/hardware/table.book_value'),
+                trans('admin/hardware/table.diff'),
+            ];
+            fputcsv($handle, $header);
 
-        // Create the header row
-        $header = [
-            trans('admin/hardware/table.asset_tag'),
-            trans('admin/hardware/table.title'),
-            trans('admin/hardware/table.serial'),
-            trans('admin/hardware/table.checkoutto'),
-            trans('admin/hardware/table.location'),
-            trans('admin/hardware/table.purchase_date'),
-            trans('admin/hardware/table.purchase_cost'),
-            trans('admin/hardware/table.book_value'),
-            trans('admin/hardware/table.diff'),
-        ];
+            Asset::with('model', 'assignedTo', 'status', 'defaultLoc', 'assetlog')
+                ->orderBy('created_at', 'DESC')
+                ->chunk(500, function ($assets) use ($handle, $formatter) {
+                    foreach ($assets as $asset) {
+                        $currency = $asset->location
+                            ? $asset->location->currency
+                            : Setting::getSettings()->default_currency;
 
-        // we insert the CSV header
-        $csv->insertOne($header);
+                        if ($target = $asset->assignedTo) {
+                            $assignedTo = $target->display_name;
+                        } else {
+                            $assignedTo = '';
+                        }
 
-        // Create a row per asset
-        foreach ($assets as $asset) {
-            $row = [];
-            $row[] = e($asset->asset_tag);
-            $row[] = e($asset->name);
-            $row[] = e($asset->serial);
+                        if (($asset->assigned_to > 0) && ($location = $asset->location)) {
+                            if ($location->city) {
+                                $locationStr = $location->city.', '.$location->state;
+                            } elseif ($location->name) {
+                                $locationStr = $location->name;
+                            } else {
+                                $locationStr = '';
+                            }
+                        } else {
+                            $locationStr = '';
+                        }
 
-            if ($target = $asset->assignedTo) {
-                $row[] = e($target->display_name);
-            } else {
-                $row[] = ''; // Empty string if unassigned
-            }
+                        $row = [
+                            $asset->asset_tag,
+                            $asset->name,
+                            $asset->serial,
+                            $assignedTo,
+                            $locationStr,
+                            Helper::getFormattedDateObject($asset->purchase_date, 'date', false),
+                            $currency.Helper::formatCurrencyOutput($asset->purchase_cost),
+                            $currency.Helper::formatCurrencyOutput($asset->getDepreciatedValue()),
+                            $currency.Helper::formatCurrencyOutput($asset->purchase_cost - $asset->getDepreciatedValue()),
+                        ];
 
-            if (($asset->assigned_to > 0) && ($location = $asset->location)) {
-                if ($location->city) {
-                    $row[] = e($location->city).', '.e($location->state);
-                } elseif ($location->name) {
-                    $row[] = e($location->name);
-                } else {
-                    $row[] = '';
-                }
-            } else {
-                $row[] = '';  // Empty string if location is not set
-            }
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $row);
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($row));
+                        }
+                    }
+                });
 
-            if ($asset->location) {
-                $currency = e($asset->location->currency);
-            } else {
-                $currency = e(Setting::getSettings()->default_currency);
-            }
+            fclose($handle);
+        }, 200, [
+            'Content-Type' => 'text/csv',
+            'Content-Disposition' => 'attachment; filename="depreciation-report-'.date('Y-m-d-his').'.csv"',
+        ]);
 
-            $row[] = Helper::getFormattedDateObject($asset->purchase_date, 'date', false);
-            $row[] = $currency.Helper::formatCurrencyOutput($asset->purchase_cost);
-            $row[] = $currency.Helper::formatCurrencyOutput($asset->getDepreciatedValue());
-            $row[] = $currency.Helper::formatCurrencyOutput(($asset->purchase_cost - $asset->getDepreciatedValue()));
-            $csv->insertOne($row);
-        }
-
-        $csv->output('depreciation-report-'.date('Y-m-d').'.csv');
-        exit;
+        return $response;
     }
 
     /**
@@ -252,6 +291,7 @@ class ReportsController extends Controller
 
         $response = new StreamedResponse(function () {
             Log::debug('Starting streamed response');
+            Log::debug('CSV escaping is set to: '.config('app.escape_formulas'));
 
             // Open output stream
             $handle = fopen('php://output', 'w');
@@ -287,6 +327,8 @@ class ReportsController extends Controller
                     Log::debug('Walking results: '.$executionTime);
                     $count = 0;
 
+                    $formatter = new EscapeFormula('`');
+
                     foreach ($actionlogs as $actionlog) {
                         $count++;
                         $target_name = '';
@@ -317,7 +359,15 @@ class ReportsController extends Controller
                             $actionlog->action_source,
                             $actionlog->log_meta,
                         ];
-                        fputcsv($handle, $row);
+
+                        // CSV_ESCAPE_FORMULAS is set to false in the .env
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $row);
+
+                            // CSV_ESCAPE_FORMULAS is set to true or is not set in the .env
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($row));
+                        }
                     }
                 });
 
@@ -359,45 +409,52 @@ class ReportsController extends Controller
      *
      * @since [v1.0]
      */
-    public function exportLicenseReport(): Response
+    public function exportLicenseReport(): StreamedResponse
     {
         $this->authorize('reports.view');
-        $licenses = License::orderBy('created_at', 'DESC')->get();
 
-        $rows = [];
-        $header = [
-            trans('admin/licenses/table.title'),
-            trans('admin/licenses/table.serial'),
-            trans('admin/licenses/form.seats'),
-            trans('admin/licenses/form.remaining_seats'),
-            trans('admin/licenses/form.expiration'),
-            trans('general.purchase_date'),
-            trans('general.depreciation'),
-            trans('general.purchase_cost'),
-        ];
+        $response = new StreamedResponse(function () {
+            $handle = fopen('php://output', 'w');
+            $formatter = new EscapeFormula('`');
 
-        $header = array_map('trim', $header);
-        $rows[] = implode(', ', $header);
+            $header = [
+                trans('admin/licenses/table.title'),
+                trans('admin/licenses/table.serial'),
+                trans('admin/licenses/form.seats'),
+                trans('admin/licenses/form.remaining_seats'),
+                trans('admin/licenses/form.expiration'),
+                trans('general.purchase_date'),
+                trans('general.depreciation'),
+                trans('general.purchase_cost'),
+            ];
+            fputcsv($handle, $header);
 
-        // Row per license
-        foreach ($licenses as $license) {
-            $row = [];
-            $row[] = e($license->name);
-            $row[] = e($license->serial);
-            $row[] = e($license->seats);
-            $row[] = $license->remaincount();
-            $row[] = $license->expiration_date;
-            $row[] = $license->purchase_date;
-            $row[] = ($license->depreciation != '') ? '' : e($license->depreciation->name);
-            $row[] = '"'.Helper::formatCurrencyOutput($license->purchase_cost).'"';
+            License::orderBy('created_at', 'DESC')->chunk(500, function ($licenses) use ($handle, $formatter) {
+                foreach ($licenses as $license) {
+                    $row = [
+                        $license->name,
+                        $license->serial,
+                        $license->seats,
+                        $license->remaincount(),
+                        $license->expiration_date,
+                        $license->purchase_date,
+                        ($license->depreciation != '') ? $license->depreciation->name : '',
+                        Helper::formatCurrencyOutput($license->purchase_cost),
+                    ];
 
-            $rows[] = implode(',', $row);
-        }
+                    if (config('app.escape_formulas') === false) {
+                        fputcsv($handle, $row);
+                    } else {
+                        fputcsv($handle, $formatter->escapeRecord($row));
+                    }
+                }
+            });
 
-        $csv = implode("\n", $rows);
-        $response = response()->make($csv, 200);
-        $response->header('Content-Type', 'text/csv');
-        $response->header('Content-disposition', 'attachment;filename=report.csv');
+            fclose($handle);
+        }, 200, [
+            'Content-Type' => 'text/csv',
+            'Content-Disposition' => 'attachment; filename="licenses-report-'.date('Y-m-d-his').'.csv"',
+        ]);
 
         return $response;
     }
@@ -742,12 +799,11 @@ class ReportsController extends Controller
                 $checkout_start = Carbon::parse($request->input('checkout_date_start'))->startOfDay();
                 $checkout_end = Carbon::parse($request->input('checkout_date_end', now()))->endOfDay();
 
-                $actionlogassets = Actionlog::where('action_type', '=', 'checkout')
-                    ->where('item_type', 'LIKE', '%Asset%')
-                    ->whereBetween('action_date', [$checkout_start, $checkout_end])
-                    ->pluck('item_id');
+                $actionlogassets = Actionlog::select('id')->where('action_type', '=', 'checkout')
+                    ->where('item_type', '=', Asset::class)
+                    ->whereBetween('action_date', [$checkout_start, $checkout_end]); // we are *not* doing ->get()...
 
-                $assets->whereIn('assets.id', $actionlogassets);
+                $assets->whereIn('id', $actionlogassets); // ...because this _should_ act as a 'subquery'
             }
 
             if (($request->filled('checkin_date_start'))) {
@@ -798,6 +854,14 @@ class ReportsController extends Controller
                 $assets->onlyTrashed();
             }
 
+            if ($request->input('assignment_status') === 'assigned') {
+                $assets->whereNotNull('assets.assigned_to');
+            }
+
+            if ($request->input('assignment_status') === 'unassigned') {
+                $assets->whereNull('assets.assigned_to');
+            }
+
             $assets->orderBy('assets.id', 'ASC')->chunk(500, function ($assets) use ($handle, $customfields, $request) {
 
                 $executionTime = microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
@@ -844,7 +908,7 @@ class ReportsController extends Controller
                     }
 
                     if ($request->filled('purchase_date')) {
-                        $row[] = ($asset->purchase_date) ? $asset->purchase_date : '';
+                        $row[] = ($asset->purchase_date) ? Carbon::parse($asset->purchase_date)->format('Y-m-d') : '';
                     }
 
                     if ($request->filled('purchase_cost')) {
@@ -852,7 +916,7 @@ class ReportsController extends Controller
                     }
 
                     if ($request->filled('eol')) {
-                        $row[] = ($asset->asset_eol_date != '') ? $asset->asset_eol_date : '';
+                        $row[] = ($asset->asset_eol_date != '') ? Carbon::parse($asset->asset_eol_date)->format('Y-m-d') : '';
                     }
 
                     if ($request->filled('warranty')) {
@@ -918,7 +982,7 @@ class ReportsController extends Controller
 
                     if ($request->filled('user_company')) {
                         if ($asset->checkedOutToUser()) {
-                            $row[] = ($asset->assignedto?->company) ? $asset->assignedto->company->display_name : '';
+                            $row[] = ($asset->assignedto?->company) ? $asset->assignedto?->company?->display_name : '';
                         } else {
                             $row[] = ''; // Empty string if unassigned
                         }
@@ -1128,56 +1192,60 @@ class ReportsController extends Controller
      *
      * @version v1.0
      */
-    public function exportMaintenancesReport(): Response
+    public function exportMaintenancesReport(): StreamedResponse
     {
         $this->authorize('reports.view');
-        // Grab all the improvements
-        $Maintenances = Maintenance::with('asset', 'supplier')
-            ->orderBy('created_at', 'DESC')
-            ->get();
 
-        $rows = [];
+        $response = new StreamedResponse(function () {
+            $handle = fopen('php://output', 'w');
+            $formatter = new EscapeFormula('`');
 
-        $header = [
-            trans('admin/hardware/table.asset_tag'),
-            trans('admin/maintenances/table.asset_name'),
-            trans('general.supplier'),
-            trans('admin/maintenances/form.asset_maintenance_type'),
-            trans('admin/maintenances/form.title'),
-            trans('admin/maintenances/form.start_date'),
-            trans('admin/maintenances/form.completion_date'),
-            trans('admin/maintenances/form.asset_maintenance_time'),
-            trans('admin/maintenances/form.cost'),
-        ];
+            $header = [
+                trans('admin/hardware/table.asset_tag'),
+                trans('admin/maintenances/table.asset_name'),
+                trans('general.supplier'),
+                trans('admin/maintenances/form.asset_maintenance_type'),
+                trans('admin/maintenances/form.title'),
+                trans('admin/maintenances/form.start_date'),
+                trans('admin/maintenances/form.completion_date'),
+                trans('admin/maintenances/form.asset_maintenance_time'),
+                trans('admin/maintenances/form.cost'),
+            ];
+            fputcsv($handle, $header);
 
-        $header = array_map('trim', $header);
-        $rows[] = implode(',', $header);
+            Maintenance::with('asset', 'supplier')
+                ->orderBy('created_at', 'DESC')
+                ->chunk(500, function ($maintenances) use ($handle, $formatter) {
+                    foreach ($maintenances as $maintenance) {
+                        $improvementTime = is_null($maintenance->asset_maintenance_time)
+                            ? (int) Carbon::now()->diffInDays(Carbon::parse($maintenance->start_date), true)
+                            : (int) $maintenance->asset_maintenance_time;
 
-        foreach ($Maintenances as $maintenance) {
-            $row = [];
-            $row[] = str_replace(',', '', e($maintenance->asset->asset_tag));
-            $row[] = str_replace(',', '', e($maintenance->asset->name));
-            $row[] = str_replace(',', '', e($maintenance->supplier->name));
-            $row[] = e($maintenance->improvement_type);
-            $row[] = e($maintenance->name);
-            $row[] = e($maintenance->start_date);
-            $row[] = e($maintenance->completion_date);
-            if (is_null($maintenance->asset_maintenance_time)) {
-                $improvementTime = (int) Carbon::now()
-                    ->diffInDays(Carbon::parse($maintenance->start_date), true);
-            } else {
-                $improvementTime = (int) $maintenance->asset_maintenance_time;
-            }
-            $row[] = $improvementTime;
-            $row[] = trans('general.currency').Helper::formatCurrencyOutput($maintenance->cost);
-            $rows[] = implode(',', $row);
-        }
+                        $row = [
+                            $maintenance->asset->asset_tag,
+                            $maintenance->asset->name,
+                            $maintenance->supplier->name,
+                            $maintenance->improvement_type,
+                            $maintenance->name,
+                            $maintenance->start_date,
+                            $maintenance->completion_date,
+                            $improvementTime,
+                            trans('general.currency').Helper::formatCurrencyOutput($maintenance->cost),
+                        ];
 
-        // spit out a csv
-        $csv = implode("\n", $rows);
-        $response = response()->make($csv, 200);
-        $response->header('Content-Type', 'text/csv');
-        $response->header('Content-disposition', 'attachment;filename=report.csv');
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $row);
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($row));
+                        }
+                    }
+                });
+
+            fclose($handle);
+        }, 200, [
+            'Content-Type' => 'text/csv',
+            'Content-Disposition' => 'attachment; filename="maintenances-report-'.date('Y-m-d-his').'.csv"',
+        ]);
 
         return $response;
     }
@@ -1192,6 +1260,9 @@ class ReportsController extends Controller
     public function getAssetAcceptanceReport($deleted = false): View
     {
         $this->authorize('reports.view');
+
+        $this->disableDebugbar();
+
         $showDeleted = $deleted == 'deleted';
 
         $query = CheckoutAcceptance::Pending()
@@ -1253,6 +1324,11 @@ class ReportsController extends Controller
             // Redirect to the unaccepted items report page with error
             return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.bad_data'));
         }
+
+        if (! $this->currentUserCanAccessAcceptance($acceptance)) {
+            return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.insufficient_permissions'));
+        }
+
         $item = $acceptance->checkoutable;
         $assignee = $acceptance->assignedTo ?? $item->assignedTo ?? null;
         $email = $assignee?->email;
@@ -1287,6 +1363,33 @@ class ReportsController extends Controller
         return redirect()->route('reports/unaccepted_assets')->with('success', trans('admin/reports/general.reminder_sent'));
     }
 
+    private function currentUserCanAccessAcceptance(CheckoutAcceptance $acceptance): bool
+    {
+        if (Setting::getSettings()->full_multiple_companies_support != '1') {
+            return true;
+        }
+
+        $user = auth()->user();
+
+        if (! $user->company_id || $user->isSuperUser()) {
+            return true;
+        }
+
+        // Bypass Eloquent global scopes so cross-company items are still found
+        $checkoutableType = $acceptance->checkoutable_type;
+        $checkoutable = $checkoutableType::withoutGlobalScopes()->find($acceptance->checkoutable_id);
+
+        if ($checkoutable instanceof LicenseSeat) {
+            $itemCompanyId = License::withoutGlobalScopes()
+                ->where('id', $checkoutable->license_id)
+                ->value('company_id');
+        } else {
+            $itemCompanyId = $checkoutable?->company_id;
+        }
+
+        return $itemCompanyId === null || (int) $itemCompanyId === (int) $user->company_id;
+    }
+
     private function getCheckoutMailType(CheckoutAcceptance $acceptance, $logItem): Mailable
     {
         $lookup = [
@@ -1319,11 +1422,21 @@ class ReportsController extends Controller
     {
         $this->authorize('reports.view');
 
-        if (! $acceptance = CheckoutAcceptance::pending()->find($acceptanceId)) {
+        $acceptance = CheckoutAcceptance::pending()
+            ->with(['checkoutable' => function (MorphTo $morphTo) {
+                $morphTo->morphWith([LicenseSeat::class => ['license']]);
+            }])
+            ->find($acceptanceId);
+
+        if (! $acceptance) {
             // Redirect to the unaccepted assets report page with error
             return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.bad_data'));
         }
 
+        if (! $this->currentUserCanAccessAcceptance($acceptance)) {
+            return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.insufficient_permissions'));
+        }
+
         if ($acceptance->delete()) {
             return redirect()->route('reports/unaccepted_assets')->with('success', trans('admin/reports/general.acceptance_deleted'));
         } else {

app/Http/Controllers/SettingsController.php

@@ -19,6 +19,7 @@ use App\Models\Group;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\MailTest;
+use App\Rules\CssColor;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
@@ -92,10 +93,12 @@ class SettingsController extends Controller
         $old_locations_fmcs = $setting->scope_locations_fmcs;
         $setting->full_multiple_companies_support = $request->input('full_multiple_companies_support', '0');
         $setting->scope_locations_fmcs = $request->input('scope_locations_fmcs', '0');
+        $setting->null_company_is_floater = $request->input('null_company_is_floater', '0');
 
-        // Backward compatibility for locations makes no sense without FullMultipleCompanySupport
+        // These options make no sense without FullMultipleCompanySupport
         if (! $setting->full_multiple_companies_support) {
             $setting->scope_locations_fmcs = '0';
+            $setting->null_company_is_floater = '0';
         }
 
         // check for inconsistencies when activating scoped locations
@@ -189,6 +192,13 @@ class SettingsController extends Controller
                 $request->validate(['site_name' => 'required']);
             }
 
+            $request->validate([
+                'header_color' => ['nullable', new CssColor],
+                'link_light_color' => ['nullable', new CssColor],
+                'link_dark_color' => ['nullable', new CssColor],
+                'nav_link_color' => ['nullable', new CssColor],
+            ]);
+
             $setting->header_color = $request->input('header_color', '#3c8dbc');
             $setting->link_light_color = $request->input('link_light_color', '#296282');
             $setting->link_dark_color = $request->input('link_dark_color', '#5fa4cc');

app/Http/Controllers/SetupController.php

@@ -6,6 +6,7 @@ use App\Http\Requests\SetupUserRequest;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\FirstAdminNotification;
+use App\Rules\CssColor;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Response;
@@ -166,6 +167,12 @@ class SetupController extends Controller
         $settings->alerts_enabled = 1;
         $settings->pwd_secure_min = 10;
         $settings->brand = 1;
+        $request->validate([
+            'link_light_color' => ['nullable', new CssColor],
+            'link_dark_color' => ['nullable', new CssColor],
+            'nav_link_color' => ['nullable', new CssColor],
+        ]);
+
         $settings->link_light_color = $request->input('link_light_color', '#296282');
         $settings->link_dark_color = $request->input('link_dark_color', '#296282');
         $settings->nav_link_color = $request->input('nav_link_color', '#FFFFFF');

app/Http/Controllers/UploadedFilesController.php

@@ -101,11 +101,13 @@ class UploadedFilesController extends Controller
         }
 
         if (request('inline') == 'true') {
-            $headers = [
-                'Content-Disposition' => 'inline',
-            ];
+            $path = self::$map_storage_path[$object_type];
 
-            return Storage::download(self::$map_storage_path[$object_type].$log->filename, $log->filename, $headers);
+            if (! StorageHelper::allowSafeInline($path.$log->filename)) {
+                return StorageHelper::downloader($path.$log->filename);
+            }
+
+            return Storage::download($path.$log->filename, $log->filename, ['Content-Disposition' => 'inline']);
         }
 
         return StorageHelper::downloader(self::$map_storage_path[$object_type].$log->filename);

app/Http/Controllers/Users/BulkUsersController.php

@@ -8,6 +8,7 @@ use App\Http\Controllers\Controller;
 use App\Models\Accessory;
 use App\Models\Actionlog;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\ConsumableAssignment;
 use App\Models\Group;
 use App\Models\License;
@@ -168,16 +169,21 @@ class BulkUsersController extends Controller
 
         $this->conditionallyAddItem('location_id')
             ->conditionallyAddItem('department_id')
-            ->conditionallyAddItem('company_id')
             ->conditionallyAddItem('locale')
             ->conditionallyAddItem('remote')
-            ->conditionallyAddItem('ldap_import')
-            ->conditionallyAddItem('activated')
             ->conditionallyAddItem('display_name')
             ->conditionallyAddItem('start_date')
             ->conditionallyAddItem('end_date')
             ->conditionallyAddItem('city')
-            ->conditionallyAddItem('autoassign_licenses');
+            ->conditionallyAddItem('autoassign_licenses')
+            ->conditionallyAddItem('phone')
+            ->conditionallyAddItem('jobtitle')
+            ->conditionallyAddItem('address')
+            ->conditionallyAddItem('state')
+            ->conditionallyAddItem('country')
+            ->conditionallyAddItem('zip')
+            ->conditionallyAddItem('website')
+            ->conditionallyAddItem('notes');
 
         // If the manager_id is one of the users being updated, generate a warning.
         if (array_search($request->input('manager_id'), $user_raw_array)) {
@@ -202,7 +208,7 @@ class BulkUsersController extends Controller
             $this->update_array['manager_id'] = null;
         }
 
-        if ($request->input('null_company_id') == '1') {
+        if ($request->input('null_company_ids') == '1') {
             $this->update_array['company_id'] = null;
         }
 
@@ -222,6 +228,46 @@ class BulkUsersController extends Controller
             $this->update_array['display_name'] = null;
         }
 
+        if ($request->input('null_city') == '1') {
+            $this->update_array['city'] = null;
+        }
+
+        if ($request->input('null_phone') == '1') {
+            $this->update_array['phone'] = null;
+        }
+
+        if ($request->input('null_jobtitle') == '1') {
+            $this->update_array['jobtitle'] = null;
+        }
+
+        if ($request->input('null_employee_num') == '1') {
+            $this->update_array['employee_num'] = null;
+        }
+
+        if ($request->input('null_address') == '1') {
+            $this->update_array['address'] = null;
+        }
+
+        if ($request->input('null_state') == '1') {
+            $this->update_array['state'] = null;
+        }
+
+        if ($request->input('null_country') == '1') {
+            $this->update_array['country'] = null;
+        }
+
+        if ($request->input('null_zip') == '1') {
+            $this->update_array['zip'] = null;
+        }
+
+        if ($request->input('null_website') == '1') {
+            $this->update_array['website'] = null;
+        }
+
+        if ($request->input('null_notes') == '1') {
+            $this->update_array['notes'] = null;
+        }
+
         if (! $manager_conflict) {
             $this->conditionallyAddItem('manager_id');
         }
@@ -235,11 +281,50 @@ class BulkUsersController extends Controller
                 ->update(['location_id' => $this->update_array['location_id']]);
         }
 
-        // Only sync groups if groups were selected
-        if ($request->filled('groups')) {
+        // Handle company pivot sync separately from the mass update.
+        // company_ids[] comes from the multi-select; null_company_ids clears all memberships.
+        $bulkCompanyIds = array_filter(array_map('intval', (array) $request->input('company_ids', [])));
+        $clearCompanies = $request->input('null_company_ids') == '1';
 
+        if ($bulkCompanyIds || $clearCompanies) {
+            $allowedIds = Company::getIdsForCurrentUser($bulkCompanyIds);
+            // Also update the scalar company_id column for display/backward compat.
+            $scalarCompanyId = $allowedIds[0] ?? null;
+            User::whereIn('id', $user_raw_array)->where('id', '!=', auth()->id())
+                ->update(['company_id' => $scalarCompanyId]);
             foreach ($users as $user) {
-                if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {
+                if ($clearCompanies && ! auth()->user()->isSuperUser() && Company::isFullMultipleCompanySupportEnabled()) {
+                    // Non-superusers can only detach companies they belong to; sync([]) would
+                    // also wipe memberships for companies outside their scope.
+                    $user->companies()->detach(Company::getIdsForCurrentUser(
+                        $user->companies()->pluck('companies.id')->toArray()
+                    ));
+                } else {
+                    $user->companies()->sync($allowedIds);
+                }
+            }
+        }
+
+        // Fields that require canEditAuthFields (non-admins cannot touch admins/superusers,
+        // admins cannot touch superusers) must be applied per-user, not via mass update.
+        foreach ($users as $user) {
+            if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {
+                $authFieldUpdate = [];
+                if ($request->filled('activated')) {
+                    $authFieldUpdate['activated'] = $request->input('activated');
+                }
+                if ($request->filled('ldap_import')) {
+                    $authFieldUpdate['ldap_import'] = $request->input('ldap_import');
+                }
+                if ($request->filled('email')) {
+                    $authFieldUpdate['email'] = $request->input('email');
+                } elseif ($request->input('null_email') == '1') {
+                    $authFieldUpdate['email'] = null;
+                }
+                if (! empty($authFieldUpdate)) {
+                    $user->update($authFieldUpdate);
+                }
+                if ($request->filled('groups') && auth()->user()->isSuperUser()) {
                     $user->groups()->sync($request->input('groups'));
                 }
             }
@@ -310,6 +395,31 @@ class BulkUsersController extends Controller
             return redirect()->route('users.index')->with('error', 'No status selected');
         }
 
+        // Enforce per-item checkin permissions before touching anything (catches FMCS company scoping).
+        foreach ($assets as $asset) {
+            if (auth()->user()->cannot('checkin', $asset)) {
+                return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+            }
+        }
+
+        $licenseModels = License::whereIn('id', $licenses->pluck('license_id')->unique())->get();
+        foreach ($licenseModels as $license) {
+            if (auth()->user()->cannot('checkin', $license)) {
+                return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+            }
+        }
+
+        $accessoryModels = Accessory::whereIn('id', $accessoryUserRows->pluck('accessory_id')->unique())->get();
+        foreach ($accessoryModels as $accessory) {
+            if (auth()->user()->cannot('checkin', $accessory)) {
+                return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+            }
+        }
+
+        if ($request->input('delete_user') == '1' && $users->isNotEmpty() && auth()->user()->cannot('delete', User::class)) {
+            return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+        }
+
         $this->logItemCheckinAndDelete($assets, Asset::class);
         $this->logAccessoriesCheckin($accessoryUserRows);
         $this->logItemCheckinAndDelete($licenses, License::class);
@@ -398,7 +508,7 @@ class BulkUsersController extends Controller
      */
     public function merge(Request $request)
     {
-        $this->authorize('update', User::class);
+        $this->authorize('delete', User::class);
 
         if (config('app.lock_passwords')) {
             return redirect()->route('users.index')->with('error', trans('general.feature_disabled'));
@@ -416,9 +526,17 @@ class BulkUsersController extends Controller
         $users_to_merge = User::whereIn('id', $user_ids_to_merge)->with('assets', 'manager', 'userlog', 'licenses', 'consumables', 'accessories', 'managedLocations', 'uploads', 'acceptances')->get();
         $admin = User::find(auth()->id());
 
+        if (! auth()->user()->can('canEditAuthFields', $merge_into_user) || ! auth()->user()->can('editableOnDemo')) {
+            return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+        }
+
         // Walk users
         foreach ($users_to_merge as $user_to_merge) {
 
+            if (! auth()->user()->can('canEditAuthFields', $user_to_merge) || ! auth()->user()->can('editableOnDemo')) {
+                return redirect()->route('users.index')->with('error', trans('general.insufficient_permissions'));
+            }
+
             foreach ($user_to_merge->assets as $asset) {
                 Log::debug('Updating asset: '.$asset->asset_tag.' to '.$merge_into_user->id);
                 $asset->assigned_to = $request->input('merge_into_id');
@@ -461,6 +579,12 @@ class BulkUsersController extends Controller
                 $managedLocation->save();
             }
 
+            // Carry over company pivot memberships from the merged user into the target.
+            $mergedCompanyIds = $user_to_merge->companies()->pluck('companies.id')->toArray();
+            if (! empty($mergedCompanyIds)) {
+                $merge_into_user->companies()->syncWithoutDetaching($mergedCompanyIds);
+            }
+
             $user_to_merge->delete();
 
             event(new UserMerged($user_to_merge, $merge_into_user, $admin));

app/Http/Controllers/Users/UsersController.php

@@ -10,11 +10,14 @@ use App\Http\Requests\DeleteUserRequest;
 use App\Http\Requests\ImageUploadRequest;
 use App\Http\Requests\SaveUserRequest;
 use App\Mail\UnacceptedAssetReminderMail;
+use App\Models\Accessory;
 use App\Models\Actionlog;
 use App\Models\Asset;
 use App\Models\CheckoutAcceptance;
 use App\Models\Company;
+use App\Models\Consumable;
 use App\Models\Group;
+use App\Models\License;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\CurrentInventory;
@@ -26,6 +29,7 @@ use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Mail;
 use Illuminate\Support\Facades\Password;
+use League\Csv\EscapeFormula;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 
 /**
@@ -122,7 +126,7 @@ class UsersController extends Controller
         $user->mobile = $request->input('mobile');
         $user->location_id = $request->input('location_id', null);
         $user->department_id = $request->input('department_id', null);
-        $user->company_id = Company::getIdForUser($request->input('company_id', null));
+        $companyIds = array_filter(array_map('intval', (array) ($request->input('company_ids') ?? ($request->filled('company_id') ? [$request->input('company_id')] : []))));
         $user->manager_id = $request->input('manager_id', null);
         $user->notes = $request->input('notes');
         $user->address = $request->input('address', null);
@@ -152,6 +156,7 @@ class UsersController extends Controller
         }
 
         if ($user->save()) {
+            $user->syncCompaniesWithLogging(Company::getIdsForCurrentUser($companyIds));
 
             if (($user->activated == '1') && ($user->email != '') && ($request->input('send_welcome') == '1')) {
 
@@ -163,7 +168,7 @@ class UsersController extends Controller
 
             }
 
-            if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {
+            if (auth()->user()->isSuperUser() && auth()->user()->can('editableOnDemo')) {
                 $user->groups()->sync($request->input('groups'));
             }
 
@@ -274,7 +279,7 @@ class UsersController extends Controller
         $user->phone = $request->input('phone');
         $user->mobile = $request->input('mobile');
         $user->location_id = $request->input('location_id', null);
-        $user->company_id = Company::getIdForUser($request->input('company_id', null));
+        $companyIds = array_filter(array_map('intval', (array) ($request->input('company_ids') ?? ($request->filled('company_id') ? [$request->input('company_id')] : []))));
         $user->manager_id = $request->input('manager_id', null);
         $user->notes = $request->input('notes');
         $user->department_id = $request->input('department_id', null);
@@ -310,11 +315,14 @@ class UsersController extends Controller
                 $user->password = bcrypt($request->input('password'));
             }
 
-            $user->permissions = json_encode(PreserveUnauthorizedPrivilegedPermissionsAction::run(
-                requestedPermissions: NormalizePermissionsPayloadAction::run($request->input('permission')),
-                authenticatedUser: $authenticatedUser,
-                originalPermissions: $orig_permissions_array,
-            ));
+            if ($request->has('permission')) {
+                $user->permissions = json_encode(PreserveUnauthorizedPrivilegedPermissionsAction::run(
+                    requestedPermissions: NormalizePermissionsPayloadAction::run($request->input('permission')),
+                    authenticatedUser: $authenticatedUser,
+                    originalPermissions: $orig_permissions_array,
+                    targetUser: $user,
+                ));
+            }
 
             // Only save groups if the user is a superuser
             if (auth()->user()->isSuperUser()) {
@@ -332,6 +340,8 @@ class UsersController extends Controller
         session()->put(['redirect_option' => $request->input('redirect_option')]);
 
         if ($user->save()) {
+            $user->syncCompaniesWithLogging(Company::getIdsForCurrentUser($companyIds));
+
             // Redirect to the user page
             return Helper::getRedirectOption($request, $user->id, 'Users')
                 ->with('success', trans('admin/users/message.success.update'));
@@ -476,7 +486,7 @@ class UsersController extends Controller
         $permissions = $request->input('permissions', []);
         app('request')->request->set('permissions', $permissions);
 
-        $user_to_clone = User::with('userloc')->withTrashed()->find($user->id);
+        $user_to_clone = User::with('userloc', 'companies')->withTrashed()->find($user->id);
         // Make sure they can view this particular user
         $this->authorize('view', $user_to_clone);
 
@@ -533,52 +543,76 @@ class UsersController extends Controller
             // Open output stream
             $handle = fopen('php://output', 'w');
 
+            $headers = [
+                // strtolower to prevent Excel from trying to open it as a SYLK file
+                strtolower(trans('general.id')),
+                trans('admin/companies/table.title'),
+                trans('admin/users/table.title'),
+                trans('general.employee_number'),
+                trans('admin/users/table.first_name'),
+                trans('admin/users/table.last_name'),
+                trans('admin/users/table.name'),
+                trans('admin/users/table.display_name'),
+                trans('admin/users/table.username'),
+                trans('admin/users/table.email'),
+                trans('admin/users/table.phone'),
+                trans('admin/users/table.mobile'),
+                trans('general.website'),
+                trans('general.address'),
+                trans('general.city'),
+                trans('general.state'),
+                trans('general.country'),
+                trans('general.zip'),
+                trans('admin/users/table.manager'),
+                trans('admin/users/table.location'),
+                trans('general.department'),
+                trans('general.assets'),
+                trans('general.licenses'),
+                trans('general.accessories'),
+                trans('general.consumables'),
+                trans('general.groups'),
+                trans('general.permissions'),
+                trans('general.notes'),
+                trans('admin/users/table.activated'),
+                trans('general.created_at'),
+                trans('general.importer.vip'),
+                trans('admin/users/general.remote'),
+                trans('general.language'),
+                trans('general.autoassign_licenses'),
+                trans('general.ldap_sync'),
+                trans('admin/users/general.two_factor_enrolled'),
+                trans('admin/users/general.two_factor_active'),
+                trans('admin/users/table.managed_users'),
+                trans('admin/users/table.managed_locations'),
+                trans('admin/users/general.department_manager'),
+                trans('general.created_by'),
+                trans('general.updated_at'),
+                trans('general.start_date'),
+                trans('general.end_date'),
+                trans('admin/users/table.last_login'),
+                trans('admin/licenses/table.deleted_at'),
+            ];
+
+            fputcsv($handle, $headers);
+
             $users = User::with(
                 'assets',
                 'accessories',
                 'consumables',
-                'department',
+                'department.manager',
                 'licenses',
                 'manager',
                 'groups',
                 'userloc',
-                'company'
-            )->orderBy('created_at', 'DESC')
+                'companies',
+                'createdBy'
+            )->withCount(['managesUsers as manages_users_count', 'managedLocations as manages_locations_count'])
+                ->orderBy('created_at', 'DESC')
                 ->chunk(500, function ($users) use ($handle) {
-                    $headers = [
-                        // strtolower to prevent Excel from trying to open it as a SYLK file
-                        strtolower(trans('general.id')),
-                        trans('admin/companies/table.title'),
-                        trans('admin/users/table.title'),
-                        trans('general.employee_number'),
-                        trans('admin/users/table.first_name'),
-                        trans('admin/users/table.last_name'),
-                        trans('admin/users/table.name'),
-                        trans('admin/users/table.username'),
-                        trans('admin/users/table.email'),
-                        trans('admin/users/table.manager'),
-                        trans('admin/users/table.location'),
-                        trans('general.department'),
-                        trans('general.assets'),
-                        trans('general.licenses'),
-                        trans('general.accessories'),
-                        trans('general.consumables'),
-                        trans('general.groups'),
-                        trans('general.permissions'),
-                        trans('general.notes'),
-                        trans('admin/users/table.activated'),
-                        trans('general.created_at'),
-                    ];
 
-                    fputcsv($handle, $headers);
+                    $formatter = new EscapeFormula('`');
 
                     foreach ($users as $user) {
-                        $user_groups = '';
-
-                        foreach ($user->groups as $user_group) {
-                            $user_groups .= $user_group->name.', ';
-                        }
-
                         $permissionstring = '';
 
                         if ($user->isSuperUser()) {
@@ -592,14 +626,23 @@ class UsersController extends Controller
                         // Add a new row with data
                         $values = [
                             $user->id,
-                            ($user->company) ? $user->company->name : '',
+                            $user->companies->pluck('name')->implode('|'),
                             $user->jobtitle,
                             $user->employee_num,
                             $user->first_name,
                             $user->last_name,
-                            $user->display_name,
+                            $user->getFullNameAttribute(),
+                            $user->getRawOriginal('display_name'),
                             $user->username,
                             $user->email,
+                            $user->phone,
+                            $user->mobile,
+                            $user->website,
+                            $user->address,
+                            $user->city,
+                            $user->state,
+                            $user->country,
+                            $user->zip,
                             ($user->manager) ? $user->manager->display_name : '',
                             ($user->userloc) ? $user->userloc->name : '',
                             ($user->department) ? $user->department->name : '',
@@ -607,14 +650,37 @@ class UsersController extends Controller
                             $user->licenses->count(),
                             $user->accessories->count(),
                             $user->consumables->count(),
-                            $user_groups,
+                            $user->groups->pluck('name')->implode(', '),
                             $permissionstring,
                             $user->notes,
                             ($user->activated == '1') ? trans('general.yes') : trans('general.no'),
                             $user->created_at,
+                            ($user->vip == '1') ? trans('general.yes') : trans('general.no'),
+                            ($user->remote == '1') ? trans('general.yes') : trans('general.no'),
+                            $user->locale,
+                            ($user->autoassign_licenses == '1') ? trans('general.yes') : trans('general.no'),
+                            ($user->ldap_import == '1') ? trans('general.yes') : trans('general.no'),
+                            ($user->two_factor_active_and_enrolled()) ? trans('general.yes') : trans('general.no'),
+                            ($user->two_factor_active()) ? trans('general.yes') : trans('general.no'),
+                            $user->manages_users_count,
+                            $user->manages_locations_count,
+                            ($user->department && $user->department->manager) ? $user->department->manager->display_name : '',
+                            ($user->createdBy) ? $user->createdBy->display_name : '',
+                            $user->updated_at,
+                            $user->start_date,
+                            $user->end_date,
+                            $user->last_login,
+                            $user->deleted_at,
                         ];
 
-                        fputcsv($handle, $values);
+                        // CSV_ESCAPE_FORMULAS is set to false in the .env
+                        if (config('app.escape_formulas') === false) {
+                            fputcsv($handle, $values);
+
+                            // CSV_ESCAPE_FORMULAS is set to true or is not set in the .env
+                        } else {
+                            fputcsv($handle, $formatter->escapeRecord($values));
+                        }
                     }
                 });
 
@@ -639,32 +705,24 @@ class UsersController extends Controller
     {
         $this->authorize('view', User::class);
 
-        $user = User::where('id', $id)
-            ->with([
-                'assets.log' => fn ($query) => $query->withTrashed()->where('target_type', User::class)->where('target_id', $id)->where('action_type', 'accepted'),
-                'assets.assignedAssets.log' => fn ($query) => $query->withTrashed()->where('target_type', User::class)->where('target_id', $id)->where('action_type', 'accepted'),
-                'assets.assignedAssets.defaultLoc',
-                'assets.assignedAssets.location',
-                'assets.assignedAssets.model.category',
-                'assets.defaultLoc',
-                'assets.location',
-                'assets.model.category',
-                'accessories.log' => fn ($query) => $query->withTrashed()->where('target_type', User::class)->where('target_id', $id)->where('action_type', 'accepted'),
-                'accessories.category',
-                'accessories.manufacturer',
-                'consumables.log' => fn ($query) => $query->withTrashed()->where('target_type', User::class)->where('target_id', $id)->where('action_type', 'accepted'),
-                'consumables.category',
-                'consumables.manufacturer',
-                'licenses.category',
-            ])
-            ->withTrashed()
-            ->first();
+        $actor = auth()->user();
+        $canViewLicenses = $actor->can('view', License::class);
+        $canViewAccessories = $actor->can('view', Accessory::class);
+        $canViewConsumables = $actor->can('view', Consumable::class);
+
+        $user = User::withInventoryRelations($id, $canViewLicenses, $canViewAccessories, $canViewConsumables)->first();
+
+        $indirectItemsCount = $user?->assets?->flatMap->assignedAssets->count()
+            + $user?->assets?->flatMap->components->count()
+            + ($canViewLicenses ? $user?->assets?->flatMap->licenses->count() : 0)
+            + ($canViewAccessories ? $user?->assets?->flatMap->assignedAccessories->count() : 0);
 
         if ($user) {
             $this->authorize('view', $user);
 
             return view('users.print')
                 ->with('users', [$user])
+                ->with('indirectItemsCount', $indirectItemsCount)
                 ->with('settings', Setting::getSettings());
         }
 

app/Http/Controllers/ViewAssetsController.php

@@ -19,6 +19,7 @@ use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Log;
 
 /**
  * This controller handles all actions related to the ability for users
@@ -120,6 +121,7 @@ class ViewAssetsController extends Controller
             'consumables',
             'accessories',
             'licenses',
+            'companies',
         ])->find($selectedUserId);
 
         // If the user to view couldn't be found (shouldn't happen with proper logic), redirect with error
@@ -199,21 +201,39 @@ class ViewAssetsController extends Controller
 
         $settings = Setting::getSettings();
 
-        if (($item_request = $item->isRequestedBy($user)) || $cancel_by_admin) {
-            $item->cancelRequest($requestingUser);
+        $is_admin = $user->isSuperUser() || $user->isAdmin();
+
+        if ($cancel_by_admin && ! $is_admin) {
+            return redirect()->back()->with('error', trans('general.insufficient_permissions'));
+        }
+
+        if (($item_request = $item->isRequestedBy($user)) || ($is_admin && $cancel_by_admin)) {
+            $item->cancelRequest($is_admin && $cancel_by_admin ? $requestingUser : null);
             $data['item_quantity'] = ($item_request) ? $item_request->qty : 1;
             $logaction->logaction(ActionType::RequestCanceled);
 
             if (($settings->alert_email != '') && ($settings->alerts_enabled == '1') && (! config('app.lock_passwords'))) {
-                $settings->notify((new RequestAssetCancelation($data))->locale($settings->locale));
+                try {
+                    $settings->notify((new RequestAssetCancelation($data))->locale($settings->locale));
+                } catch (Exception $e) {
+                    Log::warning('Could not send request cancellation notification: '.$e->getMessage());
+                }
             }
 
             return redirect()->back()->with('success')->with('success', trans('admin/hardware/message.requests.canceled'));
         } else {
+            if ($fullItemType === Asset::class && is_null(Asset::RequestableAssets()->find($item->id))) {
+                return redirect()->back()->with('error', trans('admin/hardware/message.requests.error'));
+            }
+
             $item->request();
             if (($settings->alert_email != '') && ($settings->alerts_enabled == '1') && (! config('app.lock_passwords'))) {
                 $logaction->logaction('requested');
-                $settings->notify((new RequestAssetNotification($data))->locale($settings->locale));
+                try {
+                    $settings->notify((new RequestAssetNotification($data))->locale($settings->locale));
+                } catch (Exception $e) {
+                    Log::warning('Could not send asset request notification: '.$e->getMessage());
+                }
             }
 
             return redirect()->route('requestable-assets')->with('success')->with('success', trans('admin/hardware/message.requests.success'));

app/Http/Kernel.php

@@ -2,7 +2,6 @@
 
 namespace App\Http;
 
-use App\Http\Middleware\AssetCountForSidebar;
 use App\Http\Middleware\CheckColorSettings;
 use App\Http\Middleware\CheckForDebug;
 use App\Http\Middleware\CheckForSetup;
@@ -17,6 +16,7 @@ use App\Http\Middleware\PreventBackHistory;
 use App\Http\Middleware\RedirectIfAuthenticated;
 use App\Http\Middleware\SecurityHeaders;
 use App\Http\Middleware\SetAPIResponseHeaders;
+use App\Http\Middleware\SetPaginationDefaults;
 use App\Http\Middleware\TrimStrings;
 use App\Http\Middleware\TrustProxies;
 use App\Http\Middleware\VerifyCsrfToken;
@@ -74,7 +74,6 @@ class Kernel extends HttpKernel
             CheckUserIsActivated::class,
             CheckForTwoFactor::class,
             CreateFreshApiToken::class,
-            AssetCountForSidebar::class,
             CheckColorSettings::class,
             AuthenticateSession::class,
             SubstituteBindings::class,
@@ -84,6 +83,7 @@ class Kernel extends HttpKernel
             'auth:api',
             CheckLocale::class,
             LogAuthedUserHeader::class,
+            SetPaginationDefaults::class,
             SubstituteBindings::class,
         ],
 

app/Http/Middleware/AssetCountForSidebar.php

@@ -1,119 +0,0 @@
-<?php
-
-namespace App\Http\Middleware;
-
-use App\Models\Asset;
-use App\Models\Setting;
-use Closure;
-use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Log;
-
-class AssetCountForSidebar
-{
-    /**
-     * Handle an incoming request.
-     *
-     * @param  Request  $request
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-        /**
-         * This needs to be set for the /setup process, since the tables might not exist yet
-         */
-        $total_assets = 0;
-        $total_due_for_checkin = 0;
-        $total_overdue_for_checkin = 0;
-        $total_due_for_audit = 0;
-        $total_overdue_for_audit = 0;
-
-        try {
-            $settings = Setting::getSettings();
-            view()->share('settings', $settings);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_assets = Asset::AssetsForShow()->count();
-            view()->share('total_assets', $total_assets);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_rtd_sidebar = Asset::RTD()->count();
-            view()->share('total_rtd_sidebar', $total_rtd_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_deployed_sidebar = Asset::Deployed()->count();
-            view()->share('total_deployed_sidebar', $total_deployed_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_archived_sidebar = Asset::Archived()->count();
-            view()->share('total_archived_sidebar', $total_archived_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_pending_sidebar = Asset::Pending()->count();
-            view()->share('total_pending_sidebar', $total_pending_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_undeployable_sidebar = Asset::Undeployable()->count();
-            view()->share('total_undeployable_sidebar', $total_undeployable_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_byod_sidebar = Asset::where('byod', '=', '1')->count();
-            view()->share('total_byod_sidebar', $total_byod_sidebar);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_due_for_audit = Asset::DueForAudit($settings)->count();
-            view()->share('total_due_for_audit', $total_due_for_audit);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_overdue_for_audit = Asset::OverdueForAudit()->count();
-            view()->share('total_overdue_for_audit', $total_overdue_for_audit);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_due_for_checkin = Asset::DueForCheckin($settings)->count();
-            view()->share('total_due_for_checkin', $total_due_for_checkin);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        try {
-            $total_overdue_for_checkin = Asset::OverdueForCheckin()->count();
-            view()->share('total_overdue_for_checkin', $total_overdue_for_checkin);
-        } catch (\Exception $e) {
-            Log::debug($e);
-        }
-
-        view()->share('total_due_and_overdue_for_checkin', ($total_due_for_checkin + $total_overdue_for_checkin));
-        view()->share('total_due_and_overdue_for_audit', ($total_due_for_audit + $total_overdue_for_audit));
-
-        return $next($request);
-    }
-}

app/Http/Middleware/CheckForTwoFactor.php

@@ -46,6 +46,7 @@ class CheckForTwoFactor
                     return $next($request);
                 }
 
+                redirect()->setIntendedUrl(url()->full()); // save the 'current' URL so we can send the user back to it?
                 // Otherwise make sure they're enrolled and show them the 2FA code screen
                 if ((auth()->user()->two_factor_secret != '') && (auth()->user()->two_factor_enrolled == '1')) {
                     return redirect()->route('two-factor')->with('info', trans('auth/message.two_factor.enter_two_factor_code'));

app/Http/Middleware/SetPaginationDefaults.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class SetPaginationDefaults
+{
+    public function handle(Request $request, Closure $next)
+    {
+        $limit = config('app.max_results');
+        $intLimit = intval($request->input('limit'));
+
+        if (abs($intLimit) > 0 && $intLimit <= config('app.max_results')) {
+            $limit = abs($intLimit);
+        }
+
+        app()->instance('api_limit_value', $limit);
+
+        if ($request->filled('page') && ! $request->filled('offset')) {
+            $page = max(1, intval($request->input('page')));
+            $offset = ($page - 1) * $limit;
+        } else {
+            $offset = intval($request->input('offset'));
+            $page = $limit > 0 ? (int) floor($offset / $limit) + 1 : 1;
+        }
+
+        app()->instance('api_offset_value', $offset);
+        app()->instance('api_current_page', $page);
+
+        return $next($request);
+    }
+}

app/Http/Requests/CreateMultipleAssetRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Helpers\Helper;
 use App\Http\Requests\Traits\MayContainCustomFields;
 use App\Models\Asset;
 use App\Models\AssetModel;
@@ -26,6 +27,10 @@ class CreateMultipleAssetRequest extends ImageUploadRequest // should I extend f
     {
         parent::prepareForValidation();
 
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+
         if (Setting::getSettings()->full_multiple_companies_support == '1' && ! $this->user()->isSuperUser()) {
             $this->mergeIfMissing(['company_id' => $this->user()->company_id]);
         }

app/Http/Requests/CustomAssetReportRequest.php

@@ -29,6 +29,7 @@ class CustomAssetReportRequest extends Request
     public function rules()
     {
         return [
+            'assignment_status' => 'nullable|in:all,assigned,unassigned',
             'purchase_start' => 'date|date_format:Y-m-d|nullable',
             'purchase_end' => 'date|date_format:Y-m-d|nullable',
             'purchase_cost_end' => 'numeric|nullable|gte:purchase_cost_start',

app/Http/Requests/FilterRequest.php

@@ -2,9 +2,20 @@
 
 namespace App\Http\Requests;
 
+use App\Models\Accessory;
+use App\Models\Asset;
+use App\Models\AssetModel;
+use App\Models\Component;
+use App\Models\Consumable;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\Location;
+use App\Models\Maintenance;
+use App\Models\User;
 use App\Rules\ValidJson;
 use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 class FilterRequest extends FormRequest
 {
@@ -23,8 +34,37 @@ class FilterRequest extends FormRequest
      */
     public function rules(): array
     {
+        $allowedTypes = [
+            'accessory',
+            Accessory::class,
+            'asset',
+            Asset::class,
+            'assetmodel',
+            'assetModel',
+            'AssetModel',
+            AssetModel::class,
+            'component',
+            Component::class,
+            'consumable',
+            Consumable::class,
+            'license',
+            License::class,
+            'licenseseat',
+            'licenseSeat',
+            'LicenseSeat',
+            LicenseSeat::class,
+            'location',
+            Location::class,
+            'maintenance',
+            Maintenance::class,
+            'user',
+            User::class,
+        ];
+
         return [
             'filter' => ['nullable', new ValidJson],
+            'item_type' => ['nullable', Rule::in($allowedTypes)],
+            'target_type' => ['nullable', Rule::in($allowedTypes)],
         ];
     }
 }

app/Http/Requests/ItemImportRequest.php

@@ -41,7 +41,7 @@ class ItemImportRequest extends FormRequest
         $classString = "App\\Importer\\{$class}Importer";
         $importer = new $classString($filename);
         $import->field_map = request('column-mappings');
-        $import->created_by = auth()->id();
+        $import->created_by = $import->created_by ?? auth()->id();
         $import->save();
         $fieldMappings = [];
 
@@ -51,7 +51,7 @@ class ItemImportRequest extends FormRequest
 
                 if (is_null($fieldValue)) {
                     $errorMessage = trans('validation.import_field_empty', ['fieldname' => $field]);
-                    $this->errorCallback($import, $field, [$field => $errorMessage]);
+                    $this->errorCallback($import, $field, [$field => [$errorMessage]]);
 
                     return $this->errors;
                 }

app/Http/Requests/SaveUserRequest.php

@@ -34,6 +34,8 @@ class SaveUserRequest extends FormRequest
             'department_id' => 'nullable|integer|exists:departments,id',
             'manager_id' => 'nullable|integer|exists:users,id',
             'company_id' => ['nullable', 'integer', 'exists:companies,id'],
+            'company_ids' => 'nullable|array',
+            'company_ids.*' => 'integer|exists:companies,id',
         ];
 
         switch ($this->method()) {
@@ -52,13 +54,13 @@ class SaveUserRequest extends FormRequest
                 $rules['first_name'] = 'required|string|min:1';
                 $rules['username'] = 'required_unless:ldap_import,1|string|min:1';
                 $rules['password'] = Setting::passwordComplexityRulesSaving('update').'|confirmed';
-                $rules['company_id'] = [new UserCannotSwitchCompaniesIfItemsAssigned];
+                $rules['company_id'] = ['nullable', 'integer', 'exists:companies,id', new UserCannotSwitchCompaniesIfItemsAssigned];
                 break;
 
                 // Save only what's passed
             case 'PATCH':
                 $rules['password'] = Setting::passwordComplexityRulesSaving('update');
-                $rules['company_id'] = [new UserCannotSwitchCompaniesIfItemsAssigned];
+                $rules['company_id'] = ['nullable', 'integer', 'exists:companies,id', new UserCannotSwitchCompaniesIfItemsAssigned];
                 break;
 
             default:

app/Http/Requests/StoreAccessoryRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Helpers\Helper;
 use App\Models\Accessory;
 use App\Models\Category;
 use Illuminate\Contracts\Validation\ValidationRule;
@@ -21,6 +22,10 @@ class StoreAccessoryRequest extends ImageUploadRequest
     {
         parent::prepareForValidation();
 
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+
         if ($this->category_id) {
             if ($category = Category::find($this->category_id)) {
                 $this->merge([
@@ -28,7 +33,6 @@ class StoreAccessoryRequest extends ImageUploadRequest
                 ]);
             }
         }
-
     }
 
     /**

app/Http/Requests/StoreAssetRequest.php

@@ -2,10 +2,10 @@
 
 namespace App\Http\Requests;
 
+use App\Helpers\Helper;
 use App\Http\Requests\Traits\MayContainCustomFields;
 use App\Models\Asset;
 use App\Models\Company;
-use App\Models\Setting;
 use App\Rules\AssetCannotBeCheckedOutToNondeployableStatus;
 use Carbon\Carbon;
 use Carbon\Exceptions\InvalidFormatException;
@@ -39,6 +39,9 @@ class StoreAssetRequest extends ImageUploadRequest
         $this->merge([
             'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(),
             'company_id' => $idForCurrentUser,
+            'purchase_cost' => $this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))
+                ? Helper::ParseCurrency($this->input('purchase_cost'))
+                : $this->input('purchase_cost'),
         ]);
     }
 
@@ -49,15 +52,6 @@ class StoreAssetRequest extends ImageUploadRequest
     {
         $modelRules = (new Asset)->getRules();
 
-        if (Setting::getSettings()->digit_separator === '1.234,56' && is_string($this->input('purchase_cost'))) {
-            // If purchase_cost was submitted as a string with a comma separator
-            // then we need to ignore the normal numeric rules.
-            // Since the original rules still live on the model they will be run
-            // right before saving (and after purchase_cost has been
-            // converted to a float via setPurchaseCostAttribute).
-            $modelRules = $this->removeNumericRulesFromPurchaseCost($modelRules);
-        }
-
         return array_merge(
             $modelRules,
             ['status_id' => [new AssetCannotBeCheckedOutToNondeployableStatus]],
@@ -81,20 +75,4 @@ class StoreAssetRequest extends ImageUploadRequest
             }
         }
     }
-
-    private function removeNumericRulesFromPurchaseCost(array $rules): array
-    {
-        $purchaseCost = $rules['purchase_cost'];
-
-        // If rule is in "|" format then turn it into an array
-        if (is_string($purchaseCost)) {
-            $purchaseCost = explode('|', $purchaseCost);
-        }
-
-        $rules['purchase_cost'] = array_filter($purchaseCost, function ($rule) {
-            return $rule !== 'numeric' && $rule !== 'gte:0';
-        });
-
-        return $rules;
-    }
 }

app/Http/Requests/StoreComponentRequest.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Helpers\Helper;
+use App\Models\Component;
+use Illuminate\Support\Facades\Gate;
+
+class StoreComponentRequest extends ImageUploadRequest
+{
+    public function authorize(): bool
+    {
+        return Gate::allows('create', Component::class);
+    }
+
+    public function prepareForValidation(): void
+    {
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+    }
+
+    public function response(array $errors)
+    {
+        return $this->redirector->back()->withInput()->withErrors($errors, $this->errorBag);
+    }
+}

app/Http/Requests/StoreConsumableRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Helpers\Helper;
 use App\Models\Category;
 use App\Models\Consumable;
 use Illuminate\Contracts\Validation\ValidationRule;
@@ -21,6 +22,10 @@ class StoreConsumableRequest extends ImageUploadRequest
     {
         parent::prepareForValidation();
 
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+
         if ($this->category_id) {
             if ($category = Category::find($this->category_id)) {
                 $this->merge([
@@ -28,7 +33,6 @@ class StoreConsumableRequest extends ImageUploadRequest
                 ]);
             }
         }
-
     }
 
     /**

app/Http/Requests/UpdateAssetRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Helpers\Helper;
 use App\Http\Requests\Traits\MayContainCustomFields;
 use App\Models\Asset;
 use App\Models\Setting;
@@ -22,6 +23,13 @@ class UpdateAssetRequest extends ImageUploadRequest
         return Gate::allows('update', $this->asset);
     }
 
+    public function prepareForValidation(): void
+    {
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+    }
+
     /**
      * Get the validation rules that apply to the request.
      *
@@ -51,12 +59,6 @@ class UpdateAssetRequest extends ImageUploadRequest
             ],
         );
 
-        // if the purchase cost is passed in as a string **and** the digit_separator is ',' (as is common in the EU)
-        // then we tweak the purchase_cost rule to make it a string
-        if ($setting->digit_separator === '1.234,56' && is_string($this->input('purchase_cost'))) {
-            $rules['purchase_cost'] = ['nullable', 'string'];
-        }
-
         return $rules;
     }
 }

app/Http/Requests/UpdateComponentRequest.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Helpers\Helper;
+use Illuminate\Support\Facades\Gate;
+
+class UpdateComponentRequest extends ImageUploadRequest
+{
+    public function authorize(): bool
+    {
+        return Gate::allows('update', $this->component);
+    }
+
+    public function prepareForValidation(): void
+    {
+        if ($this->filled('purchase_cost') && ! is_float($this->input('purchase_cost')) && preg_match('/^[\d.,]+$/', (string) $this->input('purchase_cost'))) {
+            $this->merge(['purchase_cost' => Helper::ParseCurrency($this->input('purchase_cost'))]);
+        }
+    }
+
+    public function rules(): array
+    {
+        $min = $this->component->numCheckedOut();
+
+        return array_merge(parent::rules(), [
+            'qty' => "required|numeric|min:{$min}",
+        ]);
+    }
+
+    public function response(array $errors)
+    {
+        return $this->redirector->back()->withInput()->withErrors($errors, $this->errorBag);
+    }
+}

app/Http/Traits/CheckInOutTrait.php

@@ -1,13 +1,13 @@
 <?php
 
-namespace App\Http\Controllers;
+namespace App\Http\Traits;
 
 use App\Models\Asset;
 use App\Models\Location;
 use App\Models\SnipeModel;
 use App\Models\User;
 
-trait CheckInOutRequest
+trait CheckInOutTrait
 {
     /**
      * Find target for checkout

app/Http/Transformers/AccessoriesTransformer.php

@@ -26,6 +26,7 @@ class AccessoriesTransformer
             'id' => $accessory->id,
             'name' => e($accessory->name),
             'image' => ($accessory->image) ? Storage::disk('public')->url('accessories/'.e($accessory->image)) : null,
+            'qr_code_url' => route('qr_code/common', ['object_type' => 'accessories', 'id' => $accessory->id]),
             'company' => ($accessory->company) ? [
                 'id' => $accessory->company->id,
                 'name' => e($accessory->company->name),

app/Http/Transformers/ActionlogsTransformer.php

@@ -116,10 +116,10 @@ class ActionlogsTransformer
                                         $clean_meta[$fieldname]['old'] = '************';
                                         $clean_meta[$fieldname]['new'] = '************';
 
-                                        // Display the changes if the user is an admin or superadmin
-                                        if (Gate::allows('admin')) {
-                                            $clean_meta[$fieldname]['old'] = ($enc_old) ? unserialize($enc_old, ['allowed_classes' => false]) : '';
-                                            $clean_meta[$fieldname]['new'] = ($enc_new) ? unserialize($enc_new, ['allowed_classes' => false]) : '';
+                                        // Display the changes if the user has permission to view encrypted custom fields
+                                        if (Gate::allows('assets.view.encrypted_custom_fields')) {
+                                            $clean_meta[$fieldname]['old'] = ($enc_old) ? e(unserialize($enc_old, ['allowed_classes' => false])) : '';
+                                            $clean_meta[$fieldname]['new'] = ($enc_new) ? e(unserialize($enc_new, ['allowed_classes' => false])) : '';
                                         }
 
                                     }
@@ -293,6 +293,28 @@ class ActionlogsTransformer
             $clean_meta[trans('general.company')] = $clean_meta['company_id'];
             unset($clean_meta['company_id']);
         }
+
+        if (array_key_exists('companies', $clean_meta)) {
+            // clean_field() JSON-encodes array values into a string (e.g. "[14,15]").
+            // Decode them back to integer arrays before resolving names.
+            // Use withoutGlobalScopes so FMCS does not hide companies from the log viewer.
+            $resolveCompanyNames = function ($rawValue): string {
+                $ids = json_decode($rawValue, true);
+                if (empty($ids) || ! is_array($ids)) {
+                    return trans('general.unassigned');
+                }
+
+                return collect($ids)
+                    ->map(fn ($id) => Company::withoutGlobalScopes()->withTrashed()->find($id))
+                    ->map(fn ($c) => $c ? e($c->name) : trans('general.deleted'))
+                    ->join(', ');
+            };
+
+            $clean_meta['companies']['old'] = $resolveCompanyNames($clean_meta['companies']['old']);
+            $clean_meta['companies']['new'] = $resolveCompanyNames($clean_meta['companies']['new']);
+            $clean_meta[trans('general.companies')] = $clean_meta['companies'];
+            unset($clean_meta['companies']);
+        }
         if (array_key_exists('supplier_id', $clean_meta)) {
 
             $oldSupplier = $supplier->find($clean_meta['supplier_id']['old']);

app/Http/Transformers/AssetModelsTransformer.php

@@ -48,6 +48,7 @@ class AssetModelsTransformer
                 'tag_color' => ($assetmodel->manufacturer->tag_color) ? e($assetmodel->manufacturer->tag_color) : null,
             ] : null,
             'image' => ($assetmodel->image != '') ? Storage::disk('public')->url('models/'.e($assetmodel->image)) : null,
+            'qr_code_url' => route('qr_code/common', ['object_type' => 'models', 'id' => $assetmodel->id]),
             'model_number' => ($assetmodel->model_number ? e($assetmodel->model_number) : null),
             'min_amt' => ($assetmodel->min_amt) ? (int) $assetmodel->min_amt : null,
 

app/Http/Transformers/AssetsTransformer.php

@@ -98,6 +98,7 @@ class AssetsTransformer
                 'tag_color' => ($asset->defaultLoc->tag_color) ? e($asset->defaultLoc->tag_color) : null,
             ] : null,
             'image' => ($asset->getImageUrl()) ? $asset->getImageUrl() : null,
+            'qr_code_url' => route('qr_code/common', ['object_type' => 'hardware', 'id' => $asset->id]),
             'qr' => ($setting->qr_code == '1') ? Storage::disk('public')->url('barcodes/qr-'.str_slug($asset->asset_tag).'-'.str_slug($asset->id).'.png') : null,
             'alt_barcode' => ($setting->alt_barcode_enabled == '1') ? Storage::disk('public')->url('barcodes/'.str_slug($setting->alt_barcode).'-'.str_slug($asset->asset_tag).'.png') : null,
             'assigned_to' => $this->transformAssignedTo($asset),
@@ -144,7 +145,7 @@ class AssetsTransformer
 
                     $fields_array[$field->name] = [
                         'field' => e($field->db_column),
-                        'value' => e($value),
+                        'value' => ($field->element == 'markdown-textarea' && Gate::allows('assets.view.encrypted_custom_fields')) ? Helper::renderMarkdown($value) : e($value),
                         'field_format' => $field->format,
                         'element' => $field->element,
                     ];
@@ -158,7 +159,7 @@ class AssetsTransformer
 
                     $fields_array[$field->name] = [
                         'field' => e($field->db_column),
-                        'value' => e($value),
+                        'value' => ($field->element == 'markdown-textarea') ? Helper::renderMarkdown($value) : e($value),
                         'field_format' => $field->format,
                         'element' => $field->element,
                     ];
@@ -274,7 +275,7 @@ class AssetsTransformer
                         $value = Helper::getFormattedDateObject($value, 'date', false);
                     }
 
-                    $fields_array[$field->db_column] = e($value);
+                    $fields_array[$field->db_column] = ($field->element == 'markdown-textarea') ? Helper::renderMarkdown($value) : e($value);
                 }
 
                 $array['custom_fields'] = $fields_array;
@@ -388,6 +389,9 @@ class AssetsTransformer
         $permissions_array['available_actions'] = [
             'checkout' => false,
             'checkin' => Gate::allows('checkin', License::class),
+            'bulk_selectable' => [
+                'checkin' => Gate::allows('checkin', License::class),
+            ],
         ];
 
         $array += $permissions_array;

app/Http/Transformers/CategoriesTransformer.php

@@ -75,6 +75,9 @@ class CategoriesTransformer
             $permissions_array['available_actions'] = [
                 'update' => Gate::allows('update', Category::class),
                 'delete' => $category->isDeletable(),
+                'bulk_selectable' => [
+                    'delete' => $category->isDeletable(),
+                ],
             ];
 
             $array += $permissions_array;

app/Http/Transformers/CompaniesTransformer.php

@@ -30,6 +30,7 @@ class CompaniesTransformer
                 'fax' => ($company->fax != '') ? e($company->fax) : null,
                 'email' => ($company->email != '') ? e($company->email) : null,
                 'image' => ($company->image) ? Storage::disk('public')->url('companies/'.e($company->image)) : null,
+                'qr_code_url' => route('qr_code/common', ['object_type' => 'companies', 'id' => $company->id]),
                 'assets_count' => (int) $company->assets_count,
                 'licenses_count' => (int) $company->licenses_count,
                 'accessories_count' => (int) $company->accessories_count,

app/Http/Transformers/ComponentsTransformer.php

@@ -26,6 +26,7 @@ class ComponentsTransformer
             'id' => (int) $component->id,
             'name' => e($component->name),
             'image' => ($component->image) ? Storage::disk('public')->url('components/'.e($component->image)) : null,
+            'qr_code_url' => route('qr_code/common', ['object_type' => 'components', 'id' => $component->id]),
             'serial' => ($component->serial) ? e($component->serial) : null,
             'location' => ($component->location) ? [
                 'id' => (int) $component->location->id,