From e2ef82b26662f3c0de9d6be108e4dc64335ff73e Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Mon, 23 Jan 2023 09:31:40 +1100
Subject: [PATCH] Fixes for content-disposition in CORS

---
 app/Http/Controllers/BaseController.php                 | 2 +-
 config/cors.php                                         | 2 +-
 resources/views/portal/ninja2020/layout/clean.blade.php | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php
index 7eb00f722853..73903e1a8373 100644
--- a/app/Http/Controllers/BaseController.php
+++ b/app/Http/Controllers/BaseController.php
@@ -861,7 +861,7 @@ class BaseController extends Controller
 /**/
         // 10-01-2022 need to ensure we snake case properly here to ensure permissions work as expected
         // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
-        if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
+        if (auth()->user() && ! auth()->user()->hasPermission('view_'.Str::snake(class_basename($this->entity_type)))) {
             //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
             if(in_array($this->entity_type, [User::class])){
                 $query->where('id', auth()->user()->id);
diff --git a/config/cors.php b/config/cors.php
index d90557c1a441..fdb09ab1d89f 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -23,7 +23,7 @@ return [
 
     'allowed_origins_patterns' => [],
 
-    'allowed_headers' => ['X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'],
+    'allowed_headers' => ['X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Disposition,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'],
 
     'exposed_headers' => ['X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'],
 
diff --git a/resources/views/portal/ninja2020/layout/clean.blade.php b/resources/views/portal/ninja2020/layout/clean.blade.php
index 083045a7985a..17ee40e4947f 100644
--- a/resources/views/portal/ninja2020/layout/clean.blade.php
+++ b/resources/views/portal/ninja2020/layout/clean.blade.php
@@ -2,6 +2,15 @@
 <html lang="{{ str_replace('_', '-', app()->getLocale()) }}">
 
     <head>
+        @if(App\Utils\Ninja::isHosted())
+            <!-- G Tag Manager -->
+            <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+            j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+            'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+            })(window,document,'script','dataLayer','GTM-WMJ5W23');</script>
+            <!-- End G Tag Manager -->
+        @endif
         <!-- Error: {{ session('error') }} -->
         @if (isset($company) && $company->matomo_url && $company->matomo_id)
             <script>