imbus · cz-lucas · Nov 20, 2025 · Nov 20, 2025 · Nov 20, 2025 · Nov 20, 2025
diff --git a/.github/workflows/SA-codeql.yml b/.github/workflows/SA-codeql.yml
@@ -26,7 +26,7 @@ jobs:
         language: [ 'javascript' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI

diff --git a/.github/workflows/crowdin-upload.yml b/.github/workflows/crowdin-upload.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Crowdin push
         uses: crowdin/github-action@v2

diff --git a/.github/workflows/docker-alpine.yml b/.github/workflows/docker-alpine.yml
@@ -42,7 +42,7 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout codebase
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # https://github.com/docker/setup-buildx-action
       - name: Setup Docker Buildx

diff --git a/.github/workflows/docker-ubuntu.yml b/.github/workflows/docker-ubuntu.yml
@@ -42,7 +42,7 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout codebase
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # https://github.com/docker/setup-buildx-action
       - name: Setup Docker Buildx

diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
@@ -11,7 +11,7 @@ jobs:
   dockerHubDescription:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Docker Hub Description
         uses: grokability/dockerhub-description@7ea9d275c7cdbe2b676a093a0308c50665e3b8b4

diff --git a/.github/workflows/tests-mysql.yml b/.github/workflows/tests-mysql.yml
@@ -37,7 +37,7 @@ jobs:
           php-version: "${{ matrix.php-version }}"
           coverage: none
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Get Composer Cache Directory
         id: composer-cache

diff --git a/.github/workflows/tests-postgres.yml b/.github/workflows/tests-postgres.yml
@@ -34,7 +34,7 @@ jobs:
           php-version: "${{ matrix.php-version }}"
           coverage: none
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Get Composer Cache Directory
         id: composer-cache

diff --git a/.github/workflows/tests-sqlite.yml b/.github/workflows/tests-sqlite.yml
@@ -25,7 +25,7 @@ jobs:
           php-version: "${{ matrix.php-version }}"
           coverage: none
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Get Composer Cache Directory
         id: composer-cache

diff --git a/app/Http/Controllers/Api/AssetsController.php b/app/Http/Controllers/Api/AssetsController.php
@@ -3,38 +3,39 @@
 namespace App\Http\Controllers\Api;
 
 use App\Events\CheckoutableCheckedIn;
-use App\Http\Requests\StoreAssetRequest;
-use App\Http\Requests\UpdateAssetRequest;
-use App\Http\Traits\MigratesLegacyAssetLocations;
-use App\Http\Transformers\ComponentsTransformer;
-use App\Models\AccessoryCheckout;
-use App\Models\CheckoutAcceptance;
-use App\Models\LicenseSeat;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Http\JsonResponse;
-use Illuminate\Support\Facades\Crypt;
-use Illuminate\Support\Facades\Gate;
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AssetCheckoutRequest;
+use App\Http\Requests\FilterRequest;
+use App\Http\Requests\StoreAssetRequest;
+use App\Http\Requests\UpdateAssetRequest;
+use App\Http\Traits\MigratesLegacyAssetLocations;
 use App\Http\Transformers\AssetsTransformer;
+use App\Http\Transformers\ComponentsTransformer;
 use App\Http\Transformers\LicensesTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\AccessoryCheckout;
 use App\Models\Asset;
 use App\Models\AssetModel;
+use App\Models\CheckoutAcceptance;
 use App\Models\Company;
 use App\Models\CustomField;
 use App\Models\License;
+use App\Models\LicenseSeat;
 use App\Models\Location;
 use App\Models\PredefinedFilter;
 use App\Models\Setting;
 use App\Models\User;
+use App\View\Label;
 use Carbon\Carbon;
-use Illuminate\Support\Facades\DB;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Route;
-use App\View\Label;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Facades\Validator;
 
@@ -57,7 +58,7 @@ class AssetsController extends Controller
      * @param int $assetId
      * @since [v4.0]
      */
-    public function index(Request $request, $action = null, $upcoming_status = null):JsonResponse|array
+    public function index(FilterRequest $request, $action = null, $upcoming_status = null):JsonResponse|array
     {
 
 
@@ -147,6 +148,12 @@ public function index(Request $request, $action = null, $upcoming_status = null)
             $filter = json_decode($request->input('filter'), true);
         }
 
+        if (!isset($filter[0]['field'])){
+            $filter = array_filter($filter, function ($key) use ($allowed_columns){
+                return in_array($key, $allowed_columns);
+            }, ARRAY_FILTER_USE_KEY);
+        }
+
         $all_custom_fields = CustomField::all(); //used as a 'cache' of custom fields throughout this page load
         foreach ($all_custom_fields as $field) {
             $allowed_columns[] = $field->db_column_name();

diff --git a/app/Http/Controllers/Api/LicenseSeatsController.php b/app/Http/Controllers/Api/LicenseSeatsController.php
@@ -79,17 +79,14 @@ public function show($licenseId, $seatId) : JsonResponse | array
     {
 
         $this->authorize('view', License::class);
-        // sanity checks:
-        // 1. does the license seat exist?
-        if (! $licenseSeat = LicenseSeat::find($seatId)) {
-            return response()->json(Helper::formatStandardApiResponse('error', null, 'Seat not found'));
-        }
-        // 2. does the seat belong to the specified license?
-        if (! $licenseSeat = $licenseSeat->license()->first() || $licenseSeat->id != intval($licenseId)) {
-            return response()->json(Helper::formatStandardApiResponse('error', null, 'Seat does not belong to the specified license'));
+
+        if ($licenseSeat = LicenseSeat::where('license_id', $licenseId)->find($seatId)) {
+            return (new LicenseSeatsTransformer)->transformLicenseSeat($licenseSeat);
         }
 
-        return (new LicenseSeatsTransformer)->transformLicenseSeat($licenseSeat);
+        return response()->json(Helper::formatStandardApiResponse('error', null, 'Seat ID or license not found or the seat does not belong to this license'));
+
+
     }
 
     /**

diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php
@@ -31,6 +31,7 @@
 use Illuminate\Support\Facades\Log;
 use App\Http\Requests\DeleteUserRequest;
 use Illuminate\Http\JsonResponse;
+use App\Http\Requests\FilterRequest;
 
 class UsersController extends Controller
 {
@@ -42,7 +43,7 @@ class UsersController extends Controller
      *
      * @return array
      */
-    public function index(Request $request) : array
+    public function index(FilterRequest $request) : array
     {
         $this->authorize('view', User::class);
 

diff --git a/app/Http/Requests/FilterRequest.php b/app/Http/Requests/FilterRequest.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Rules\ValidJson;
+use Illuminate\Foundation\Http\FormRequest;
+
+class FilterRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'filter' => ['nullable', new ValidJson()],
+        ];
+    }
+}