Merge pull request #14116 from marcusmoore/bug/sc-24475

Guard against passing non-integer for company_id when creating asset

app/Http/Requests/StoreAssetRequest.php

@@ -20,9 +20,16 @@ public function authorize(): bool
 
     public function prepareForValidation(): void
     {
+        // Guard against users passing in an array for company_id instead of an integer.
+        // If the company_id is not an integer then we simply use what was
+        // provided to be caught by model level validation later.
+        $idForCurrentUser = is_int($this->company_id)
+            ? Company::getIdForCurrentUser($this->company_id)
+            : $this->company_id;
+
         $this->merge([
             'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(),
-            'company_id' => Company::getIdForCurrentUser($this->company_id),
+            'company_id' => $idForCurrentUser,
             'assigned_to' => $assigned_to ?? null,
         ]);
     }

tests/Feature/Api/Assets/AssetStoreTest.php

@@ -10,6 +10,7 @@
 use App\Models\Supplier;
 use App\Models\User;
 use Carbon\Carbon;
+use Illuminate\Testing\Fluent\AssertableJson;
 use Tests\Support\InteractsWithSettings;
 use Tests\TestCase;
 
@@ -425,4 +426,16 @@ public function testAnAssetCanBeCheckedOutToAssetOnStore()
         // I think this makes sense, but open to a sanity check
         $this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset));
     }
+
+    public function testCompanyIdNeedsToBeInteger()
+    {
+        $this->actingAsForApi(User::factory()->createAssets()->create())
+            ->postJson(route('api.assets.store'), [
+                'company_id' => [1],
+            ])
+            ->assertStatusMessageIs('error')
+            ->assertJson(function (AssertableJson $json) {
+                $json->has('messages.company_id')->etc();
+            });
+    }
 }