From 9e1d7ffb5dffcc6c5fb65f822c2b144e2f9aafb9 Mon Sep 17 00:00:00 2001 From: Tobias Regnery Date: Tue, 6 Jul 2021 09:08:29 +0200 Subject: [PATCH] Fix scope of departments for FullMultipleCompanySupport If a user tries to view or edit a department from a different company with FullMultipleCompanySupport enabled, there is a 403 error displayed. Apply the correct company scope in order to only display the departments from the own company in the departments view. Signed-off-by: Tobias Regnery --- app/Http/Controllers/Api/DepartmentsController.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Api/DepartmentsController.php b/app/Http/Controllers/Api/DepartmentsController.php index b692d378b..752c58a04 100644 --- a/app/Http/Controllers/Api/DepartmentsController.php +++ b/app/Http/Controllers/Api/DepartmentsController.php @@ -6,6 +6,7 @@ use App\Helpers\Helper; use App\Http\Controllers\Controller; use App\Http\Transformers\DepartmentsTransformer; use App\Http\Transformers\SelectlistTransformer; +use App\Models\Company; use App\Models\Department; use Auth; use Illuminate\Http\Request; @@ -25,7 +26,7 @@ class DepartmentsController extends Controller $this->authorize('view', Department::class); $allowed_columns = ['id','name','image','users_count']; - $departments = Department::select([ + $departments = Company::scopeCompanyables(Department::select( 'departments.id', 'departments.name', 'departments.location_id', @@ -33,8 +34,8 @@ class DepartmentsController extends Controller 'departments.manager_id', 'departments.created_at', 'departments.updated_at', - 'departments.image' - ])->with('users')->with('location')->with('manager')->with('company')->withCount('users as users_count'); + 'departments.image'), + "company_id", "departments")->with('users')->with('location')->with('manager')->with('company')->withCount('users as users_count'); if ($request->filled('search')) { $departments = $departments->TextSearch($request->input('search'));