diff --git a/app/Http/Requests/StoreAssetRequest.php b/app/Http/Requests/StoreAssetRequest.php index 00c5d27be9a9..74988b6c62ad 100644 --- a/app/Http/Requests/StoreAssetRequest.php +++ b/app/Http/Requests/StoreAssetRequest.php @@ -20,9 +20,16 @@ public function authorize(): bool public function prepareForValidation(): void { + // Guard against users passing in an array for company_id instead of an integer. + // If the company_id is not an integer then we simply use what was + // provided to be caught by model level validation later. + $idForCurrentUser = is_int($this->company_id) + ? Company::getIdForCurrentUser($this->company_id) + : $this->company_id; + $this->merge([ 'asset_tag' => $this->asset_tag ?? Asset::autoincrement_asset(), - 'company_id' => Company::getIdForCurrentUser($this->company_id), + 'company_id' => $idForCurrentUser, 'assigned_to' => $assigned_to ?? null, ]); } diff --git a/tests/Feature/Api/Assets/AssetStoreTest.php b/tests/Feature/Api/Assets/AssetStoreTest.php index 720526f5b50e..92a58a5006a6 100644 --- a/tests/Feature/Api/Assets/AssetStoreTest.php +++ b/tests/Feature/Api/Assets/AssetStoreTest.php @@ -10,6 +10,7 @@ use App\Models\Supplier; use App\Models\User; use Carbon\Carbon; +use Illuminate\Testing\Fluent\AssertableJson; use Tests\Support\InteractsWithSettings; use Tests\TestCase; @@ -425,4 +426,16 @@ public function testAnAssetCanBeCheckedOutToAssetOnStore() // I think this makes sense, but open to a sanity check $this->assertTrue($asset->assignedAssets()->find($response['payload']['id'])->is($apiAsset)); } + + public function testCompanyIdNeedsToBeInteger() + { + $this->actingAsForApi(User::factory()->createAssets()->create()) + ->postJson(route('api.assets.store'), [ + 'company_id' => [1], + ]) + ->assertStatusMessageIs('error') + ->assertJson(function (AssertableJson $json) { + $json->has('messages.company_id')->etc(); + }); + } }