From c1a065384782fc01ea2591a7dda63f81774dc1aa Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 11 Feb 2022 12:31:11 -0800
Subject: [PATCH] Restrict to update or create gate methods for select lists

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Providers/AuthServiceProvider.php | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 2a0851d1e..056d3eb5f 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -179,12 +179,18 @@ class AuthServiceProvider extends ServiceProvider
         // to the logged in API user, but creating assets, licenses, etc won't work 
         // if the user can't view and interact with the select lists.
         Gate::define('view.selectlists', function ($user) {
-            return $user->can('view', Asset::class)   
-                || $user->can('view', License::class)   
-                || $user->can('view', Component::class)   
-                || $user->can('view', Consumable::class)   
-                || $user->can('view', Accessory::class)   
-                || $user->can('view', User::class);   
+            return $user->can('update', Asset::class) 
+                || $user->can('create', License::class)    
+                || $user->can('update', License::class)   
+                || $user->can('create', License::class)   
+                || $user->can('update', Component::class)
+                || $user->can('create', Component::class)   
+                || $user->can('update', Consumable::class)   
+                || $user->can('create', Consumable::class)   
+                || $user->can('update', Accessory::class)
+                || $user->can('create', Accessory::class)   
+                || $user->can('update', User::class)
+                || $user->can('create', User::class);   
         });
     }
 }