Squashed commit of the following:

commit 147fcfb
Merge: 58a3d09 fdcc17c
Author: snipe <snipe@snipe.net>
Date:   Tue Oct 22 15:12:55 2024 +0100

    Merge pull request #15676 from Toreg87/fixes/api_create_user_fmcs

    Fix user creation with FullMultipleCompanySupport enabled over API

commit 58a3d09
Merge: 30a06a5 867fa2f
Author: snipe <snipe@snipe.net>
Date:   Tue Oct 22 14:55:42 2024 +0100

    Merge pull request #15703 from marcusmoore/bug/sc-27188

    Linked accessory files in activity report

commit 30a06a5
Merge: 6c6af78 ce30863
Author: snipe <snipe@snipe.net>
Date:   Tue Oct 22 11:47:06 2024 +0100

    Merge pull request #15693 from marcusmoore/chore/remove-parallel-testing

    Removed brianium/paratest

commit 6c6af78
Merge: 9b06bbb 3f79fd7
Author: snipe <snipe@snipe.net>
Date:   Tue Oct 22 11:46:04 2024 +0100

    Merge pull request #15705 from marcusmoore/tests/icon-component-test

    Added test to ensure icon component does not end in newline

commit 3f79fd7
Author: Marcus Moore <contact@marcusmoore.io>
Date:   Mon Oct 21 17:07:40 2024 -0700

    Add test to ensure icon component does not end in newline

commit 9b06bbb
Merge: 46ad1d0 d7f7014
Author: snipe <snipe@snipe.net>
Date:   Mon Oct 21 22:38:26 2024 +0100

    Merge pull request #15704 from marcusmoore/bug/remove-extra-icon

    Removed second icon in accessory file list

commit ce30863
Author: Marcus Moore <contact@marcusmoore.io>
Date:   Mon Oct 21 13:57:04 2024 -0700

    Remove brianium/paratest dependency

commit d7f7014
Author: Marcus Moore <contact@marcusmoore.io>
Date:   Mon Oct 21 13:48:25 2024 -0700

    Remove extra icon in accessory file upload list

commit 867fa2f
Author: Marcus Moore <contact@marcusmoore.io>
Date:   Mon Oct 21 12:40:24 2024 -0700

    Display file in activity report for accessories

commit 0933a2d
Author: Marcus Moore <contact@marcusmoore.io>
Date:   Thu Oct 17 18:01:48 2024 -0700

    Remove --parallel flag

commit 46ad1d0
Merge: bcb4bd9 3cf746d
Author: snipe <snipe@snipe.net>
Date:   Thu Oct 17 15:29:47 2024 +0100

    Merge pull request #15680 from uberbrady/bulk_checkout_to_bulk_actions

    Bulk checkout to bulk actions

commit bcb4bd9
Merge: 2500375 f50ccbc
Author: snipe <snipe@snipe.net>
Date:   Thu Oct 17 10:20:13 2024 +0100

    Merge pull request #15683 from Toreg87/fixes/outdated_comment

    Fix outdated comment in CompanyableTrait

commit f50ccbc
Author: Tobias Regnery <tobias.regnery@gmail.com>
Date:   Thu Oct 17 11:07:28 2024 +0200

    Fix outdated comment in CompanyableTrait

    As of commit 5800e8d the user model uses CompanyableTrait so remove this clearly outdated comment

commit 3cf746d
Author: Brady Wetherington <bwetherington@grokability.com>
Date:   Wed Oct 16 23:13:32 2024 +0100

    Rework the bulk checkout to not change how all checkouts work

commit 6b7af80
Author: Brady Wetherington <bwetherington@grokability.com>
Date:   Thu Oct 10 13:28:23 2024 +0100

    Add 'bulk checkout' as one of the bulk actions in the bulk actions toolbar

commit fdcc17c
Author: Tobias Regnery <tobias.regnery@gmail.com>
Date:   Wed Oct 16 11:18:24 2024 +0200

    Fix user creation with FullMultipleCompanySupport enabled over API

    It is currently possible as a non-superuser to create a new user or patch an existing user with arbitrary company over the API if FullMultipleCompanySupport is enabled.
    Altough a highly unlikely scenario as the user needs permission to create API keys and new users, it is a bug that should get fixed.

    Add a call to getIdForCurrentUser() to normalize the company_id if FullMultipleCompanySupport is enabled.

Signed-off-by: snipe <snipe@snipe.net>

.github/workflows/tests-mysql.yml

@@ -76,4 +76,4 @@ jobs:
           DB_DATABASE: snipeit
           DB_PORT: ${{ job.services.mysql.ports[3306] }}
           DB_USERNAME: root
-        run: php artisan test --parallel
+        run: php artisan test

.github/workflows/tests-postgres.yml

@@ -74,4 +74,4 @@ jobs:
           DB_PORT: ${{ job.services.postgresql.ports[5432] }}
           DB_USERNAME: snipeit
           DB_PASSWORD: password
-        run: php artisan test --parallel
+        run: php artisan test

.github/workflows/tests-sqlite.yml

@@ -58,4 +58,4 @@ jobs:
       - name: Execute tests (Unit and Feature tests) via PHPUnit
         env:
           DB_CONNECTION: sqlite_testing
-        run: php artisan test --parallel
+        run: php artisan test

app/Http/Controllers/Api/UsersController.php

@@ -14,6 +14,7 @@
 use App\Models\Actionlog;
 use App\Models\Asset;
 use App\Models\Accessory;
+use App\Models\Company;
 use App\Models\Consumable;
 use App\Models\License;
 use App\Models\User;
@@ -371,6 +372,7 @@ public function store(SaveUserRequest $request) : JsonResponse
 
         $user = new User;
         $user->fill($request->all());
+        $user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
         $user->created_by = auth()->id();
 
         if ($request->has('permissions')) {
@@ -452,6 +454,10 @@ public function update(SaveUserRequest $request, User $user): JsonResponse
 
             $user->fill($request->all());
 
+            if ($request->filled('company_id')) {
+                $user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
+            }
+
             if ($user->id == $request->input('manager_id')) {
                 return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
             }

app/Http/Controllers/Assets/BulkAssetsController.php

@@ -52,6 +52,10 @@ public function edit(Request $request) : View | RedirectResponse
         }
 
         $asset_ids = $request->input('ids');
+        if ($request->input('bulk_actions') === 'checkout') {
+            $request->session()->flashInput(['selected_assets' => $asset_ids]);
+            return redirect()->route('hardware.bulkcheckout.show');
+        }
 
         // Figure out where we need to send the user after the update is complete, and store that in the session
         $bulk_back_url = request()->headers->get('referer');
@@ -571,31 +575,34 @@ public function storeCheckout(AssetCheckoutRequest $request) : RedirectResponse
             }
 
             $errors = [];
-            DB::transaction(function () use ($target, $admin, $checkout_at, $expected_checkin, $errors, $asset_ids, $request) {
+            DB::transaction(function () use ($target, $admin, $checkout_at, $expected_checkin, &$errors, $asset_ids, $request) { //NOTE: $errors is passsed by reference!
                 foreach ($asset_ids as $asset_id) {
                     $asset = Asset::findOrFail($asset_id);
                     $this->authorize('checkout', $asset);
 
-                    $error = $asset->checkOut($target, $admin, $checkout_at, $expected_checkin, e($request->get('note')), $asset->name, null);
+                    $checkout_success = $asset->checkOut($target, $admin, $checkout_at, $expected_checkin, e($request->get('note')), $asset->name, null);
 
+                    //TODO - I think this logic is duplicated in the checkOut method?
                     if ($target->location_id != '') {
                         $asset->location_id = $target->location_id;
-                        $asset->unsetEventDispatcher();
-                        $asset->save();
+                        // TODO - I don't know why this is being saved without events
+                        $asset::withoutEvents(function () use ($asset) {
+                            $asset->save();
+                        });
                     }
 
-                    if ($error) {
-                        array_merge_recursive($errors, $asset->getErrors()->toArray());
+                    if (!$checkout_success) {
+                        $errors = array_merge_recursive($errors, $asset->getErrors()->toArray());
                     }
                 }
             });
 
             if (! $errors) {
                 // Redirect to the new asset page
-                return redirect()->to('hardware')->with('success', trans('admin/hardware/message.checkout.success'));
+                return redirect()->to('hardware')->with('success', trans_choice('admin/hardware/message.multi-checkout.success', $asset_ids));
             }
             // Redirect to the asset management page with error
-            return redirect()->route('hardware.bulkcheckout.show')->with('error', trans('admin/hardware/message.checkout.error'))->withErrors($errors);
+            return redirect()->route('hardware.bulkcheckout.show')->withInput()->with('error', trans_choice('admin/hardware/message.multi-checkout.error', $asset_ids))->withErrors($errors);
         } catch (ModelNotFoundException $e) {
             return redirect()->route('hardware.bulkcheckout.show')->with('error', $e->getErrors());
         }

app/Http/Transformers/ActionlogsTransformer.php

@@ -141,6 +141,8 @@ public function transformActionlog (Actionlog $actionlog, $settings = null)
                 if ($actionlog->item) {
                     if ($actionlog->itemType() == 'asset') {
                         $file_url = route('show/assetfile', ['assetId' => $actionlog->item->id, 'fileId' => $actionlog->id]);
+                    } elseif ($actionlog->itemType() == 'accessory') {
+                        $file_url = route('show.accessoryfile', ['accessoryId' => $actionlog->item->id, 'fileId' => $actionlog->id]);
                     } elseif ($actionlog->itemType() == 'license') {
                         $file_url = route('show.licensefile', ['licenseId' => $actionlog->item->id, 'fileId' => $actionlog->id]);
                     } elseif ($actionlog->itemType() == 'user') {
@@ -345,4 +347,4 @@ public function changedInfo(array $clean_meta)
 
 
 
-}
+}

app/Models/CompanyableTrait.php

@@ -8,9 +8,6 @@ trait CompanyableTrait
      * This trait is used to scope models to the current company. To use this scope on companyable models,
      * we use the "use Companyable;" statement at the top of the mode.
      *
-     * We CANNOT USE THIS ON USERS, as it causes an infinite loop and prevents users from logging in, since this scope will be
-     * applied to the currently logged in (or logging in) user in addition to the user model for viewing lists of users.
-     *
      * @see \App\Models\Company\Company::scopeCompanyables()
      * @return void
      */

composer.json

@@ -74,7 +74,6 @@
     "ext-exif": "*"
   },
   "require-dev": {
-    "brianium/paratest": "^7.0",
     "fakerphp/faker": "^1.16",
     "larastan/larastan": "^2.9",
     "mockery/mockery": "^1.4",

resources/lang/en-US/admin/hardware/message.php

@@ -79,6 +79,11 @@
         'no_assets_selected' => 'You must select at least one asset from the list',
     ],
 
+    'multi-checkout' => [
+        'error'   => 'Asset was not checked out, please try again|Assets were not checked out, please try again',
+        'success' => 'Asset checked out successfully.|Assets checked out successfully.',
+    ],
+
     'checkin' => [
         'error'   		=> 'Asset was not checked in, please try again',
         'success' 		=> 'Asset checked in successfully.',

resources/views/accessories/view.blade.php

@@ -161,7 +161,6 @@ class="table table-striped snipe-table"
                                         showfile_routename="show.accessoryfile"
                                         deletefile_routename="delete/accessoryfile"
                                         :object="$accessory" />
-
                                 </div>
                             </div>
                         </div> <!-- /.tab-pane -->

resources/views/hardware/bulk-checkout.blade.php

@@ -115,5 +115,12 @@
 
 @section('moar_scripts')
 @include('partials/assets-assigned')
+<script nonce="{{ csrf_token() }}">
+    $(function () {
+        //if there's already a user selected, make sure their checked-out assets show up
+        // (if there isn't one, it won't do anything)
+        $('#assigned_user').change();
+    });
+</script>
 
 @stop

resources/views/partials/asset-bulk-actions.blade.php

@@ -16,17 +16,20 @@
     </label>
     <select name="bulk_actions" class="form-control select2" aria-label="bulk_actions" style="min-width: 350px;">
         @if((isset($status)) && ($status == 'Deleted'))
-        @can('delete', \App\Models\Asset::class)
-            <option value="restore">{{trans('button.restore')}}</option> 
-        @endcan
+            @can('delete', \App\Models\Asset::class)
+                <option value="restore">{{trans('button.restore')}}</option>
+            @endcan
         @else
-        @can('update', \App\Models\Asset::class)
-            <option value="edit">{{ trans('button.edit') }}</option>
-        @endcan
-        @can('delete', \App\Models\Asset::class)
-            <option value="delete">{{ trans('button.delete') }}</option>
-        @endcan
-        <option value="labels" {{$snipeSettings->shortcuts_enabled == 1 ? "accesskey=l" : ''}}>{{ trans_choice('button.generate_labels', 2) }}</option>
+            @can('update', \App\Models\Asset::class)
+                <option value="edit">{{ trans('button.edit') }}</option>
+            @endcan
+            @can('checkout', \App\Models\Asset::class)
+                <option value="checkout">{{ trans('general.bulk_checkout') }}</option>
+            @endcan
+            @can('delete', \App\Models\Asset::class)
+                <option value="delete">{{ trans('button.delete') }}</option>
+            @endcan
+            <option value="labels" {{$snipeSettings->shortcuts_enabled == 1 ? "accesskey=l" : ''}}>{{ trans_choice('button.generate_labels', 2) }}</option>
         @endif
     </select>
 

tests/Unit/BladeComponents/IconComponentTest.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tests\Unit\BladeComponents;
+
+use Illuminate\Support\Facades\View;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class IconComponentTest extends TestCase
+{
+    public function testIconComponentDoesNotEndInNewline()
+    {
+        $renderedTemplateString = View::make('blade.icon', ['type' => 'checkout'])->render();
+
+        $this->assertFalse(
+            Str::endsWith($renderedTemplateString, PHP_EOL),
+            'Newline found at end of icon component. Bootstrap tables will not render if there is a newline at the end of the file.'
+        );
+    }
+}