From e62e2d5fc985e55b045d95275becf7248fe64377 Mon Sep 17 00:00:00 2001 From: David Bomba Date: Thu, 6 Oct 2022 16:37:39 +1100 Subject: [PATCH] Fixes for low permission users hitting list views --- app/Http/Controllers/BaseController.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php index 4728fdd5a3cd..b004034e5d40 100644 --- a/app/Http/Controllers/BaseController.php +++ b/app/Http/Controllers/BaseController.php @@ -773,8 +773,16 @@ class BaseController extends Controller // 10-01-2022 need to ensure we snake case properly here to ensure permissions work as expected // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) { - //03-09-2022 - $query->where('user_id', '=', auth()->user()->id)->orWhere('assigned_user_id', auth()->user()->id); + + //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users + if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user') + $query->where('id', auth()->user()->id); + elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){ + //need to pass these back regardless + } + else + $query->where('user_id', '=', auth()->user()->id)->orWhere('assigned_user_id', auth()->user()->id); + } if (request()->has('updated_at') && request()->input('updated_at') > 0) {