-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix full company scoping in user selects #12467
Fix full company scoping in user selects #12467
Conversation
|
if (App::environment(['testing', 'testing-ci'])) { | ||
return $next($request); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewers: double-check that this check makes sense please. We don't want accidentally disable this middleware 馃槄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would we want to bypass this in testing? (I'm sure there's a good reason for it, I'm just not coming up with it :) )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question that made me dig in a little more.
Calling header_remove
in this middleware causes the tests to throw exceptions with the following error:
ErrorException : Cannot modify header information - headers already sent by (output started at /path/to/project/vendor/phpunit/phpunit/src/Util/Printer.php:104)
/path/to/project/app/Http/Middleware/SecurityHeaders.php:112
/path/to/project/app/Http/Middleware/SecurityHeaders.php:30
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php:21
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php:31
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/app/Http/Middleware/CheckForDebug.php:25
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/app/Http/Middleware/CheckForSetup.php:25
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/fideloper/proxy/src/TrustProxies.php:57
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php:49
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:121
/path/to/project/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php:64
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php:86
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/app/Http/Middleware/NoSessionStore.php:28
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:167
/path/to/project/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:103
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:142
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:111
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php:510
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php:476
/path/to/project/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php:306
/path/to/project/tests/Feature/Api/Users/UsersForSelectListTest.php:25
That if
check in such an important middleware is sketchy though. I'm pulling it out of this and adding a comment about it in the PR description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, Marcus - thank you! A few small nits (and a question), but it's great work thank you!
@@ -1,6 +1,7 @@ | |||
<?php | |||
|
|||
return [ | |||
'company' => 'Company', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can just use general.company
here, no need to duplicate the string.
if (App::environment(['testing', 'testing-ci'])) { | ||
return $next($request); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would we want to bypass this in testing? (I'm sure there's a good reason for it, I'm just not coming up with it :) )
@@ -26,14 +26,23 @@ | |||
</div> | |||
<div class="box-body"> | |||
{{csrf_field()}} | |||
@if ($asset->company && $asset->company->name) | |||
<div class="form-group"> | |||
{{ Form::label('model', trans('admin/companies/general.company'), array('class' => 'col-md-3 control-label')) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing as above general.company
should work find here.
Description
This PR fixes a bug in the user select menu that currently returns users from other companies when a search string is provided.
Example:
With Full Companies Support enabled,
Marcus
is an admin forCompany A
. Marcus attempts to sign out an asset that belongs to Company A. When selecting the user to check the asset out to, Marcus is presented with a list of users for Company A:So far so good 馃憤馃従
But, when Marcus types a query into the user search, he sees users from other companies 馃憥馃従
With this PR, the users returned are scoped to the user's of the company that the requester belongs to:
Notes
SecurityHeaders
middleware that skips it when running in testing environments.On Testing
A few tests have been included in this PR but running the tests requires some changes that are outside of the scope of this PR and will be followed up on in the future:
DB_*
variables in.env.testing-ci
should point to a valid MySQL databaseDB_CONNECTION
inphpunit.xml
should bemysql
SecurityHeaders
middlewareType of change