From fb4fe3004906acfc53a0d26e5e62569cb078d1e8 Mon Sep 17 00:00:00 2001 From: Tobias Regnery Date: Fri, 11 Oct 2024 12:09:09 +0200 Subject: [PATCH] Fix asset creation with API and FullMultipleCompanySupport It is currently possible to create an asset with arbitrary company without being superuser and FullMultipleCompanySupport enabled. This bug goes back to 75ac7f80b9 which is part of version 6.3.0. Fix this by restoring the previous behaviour to check the company_id with getIdForCurrentUser(). --- app/Http/Controllers/Api/AssetsController.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Http/Controllers/Api/AssetsController.php b/app/Http/Controllers/Api/AssetsController.php index d4a103be3..00c5416af 100644 --- a/app/Http/Controllers/Api/AssetsController.php +++ b/app/Http/Controllers/Api/AssetsController.php @@ -598,6 +598,7 @@ class AssetsController extends Controller $asset->model()->associate(AssetModel::find((int) $request->get('model_id'))); $asset->fill($request->validated()); + $asset->company_id = Company::getIdForCurrentUser($request->validated()['company_id']); $asset->created_by = auth()->id(); /**