From 918e7c8dae4d41935f534901a582ea8488bbf603 Mon Sep 17 00:00:00 2001 From: Haxatron <76475453+Haxatron@users.noreply.github.com> Date: Thu, 9 Dec 2021 12:57:04 +0800 Subject: [PATCH 1/2] Fix access control - https://huntr.dev/bounties/19453ef1-4d77-4cff-b7e8-1bc8f3af0862/ --- app/Http/Controllers/AssetModelsController.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Http/Controllers/AssetModelsController.php b/app/Http/Controllers/AssetModelsController.php index 29914b40a..05fd8257d 100755 --- a/app/Http/Controllers/AssetModelsController.php +++ b/app/Http/Controllers/AssetModelsController.php @@ -269,6 +269,7 @@ class AssetModelsController extends Controller */ public function getClone($modelId = null) { + $this->authorize('view', AssetModel::class); // Check if the model exists if (is_null($model_to_clone = AssetModel::find($modelId))) { return redirect()->route('models.index')->with('error', trans('admin/models/message.does_not_exist')); From 1699c09758e56f740437674a8d6ba36443399f24 Mon Sep 17 00:00:00 2001 From: Haxatron <76475453+Haxatron@users.noreply.github.com> Date: Thu, 9 Dec 2021 21:42:18 +0800 Subject: [PATCH 2/2] Update AssetModelsController.php --- app/Http/Controllers/AssetModelsController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/AssetModelsController.php b/app/Http/Controllers/AssetModelsController.php index 05fd8257d..8d5734607 100755 --- a/app/Http/Controllers/AssetModelsController.php +++ b/app/Http/Controllers/AssetModelsController.php @@ -269,7 +269,7 @@ class AssetModelsController extends Controller */ public function getClone($modelId = null) { - $this->authorize('view', AssetModel::class); + $this->authorize('create', AssetModel::class); // Check if the model exists if (is_null($model_to_clone = AssetModel::find($modelId))) { return redirect()->route('models.index')->with('error', trans('admin/models/message.does_not_exist'));