Add ability to map users to multiple companies with FullMultipleCompanySupport

We have a hierarchical set of companies grouped in multiple layers:
 a) the upper layer must have access to all companies
 b) the lowest layer must be scoped to only one company
 c) the middle layer must have access to multiple companies of the lowest layer, but not all of them

a) and b) is possible with FullMultipleCompanySupport and super user, but c) is currently not supported.

To accomplish this, I propose the concept of "mapped" companies.
Users with a mapped company can see and update all resources of the mapped company according to the users permissions, just like the "primary" company.

A new mapping table is created and linked to users and companies and the company scoping function is updated accordingly.
The mapping table only contains additional mappings, not the "primary" company of the user.
In the user edit view a new tab is created to map users to companies.

The validation logic must be changed for this. Currently a scoped user can't change the company.
Now it must be possible for users with mapped companies to choose between companies.
To do this, two changes are needed:
 - the company selectlist gets scoped to the primary and the mapped companies
 - a new validator is introduced to validate if the user is allowed to choose a company or if a company is required. This validator handles input through the UI and the API

The logic if a user is edited must be changed accordingly:
- If a different "primary" company is assigned to a user, the mapping table must be updated.
- Bulk editing this must also be supported.
- If a user gets cloned, the mappings must be cloned.

I implemented this feature with performance and backward compatibility in mind. There is no overhead if FullMultipleCompanySupport is disabled.
The feature is fully optional, there is only minimal overhead if FullMultipleCompanySupport is enabled and no mappings are used.

Author: Toreg87

app/Http/Controllers/Api/AssetsController.php

@@ -733,9 +733,6 @@ public function update(UpdateAssetRequest $request, Asset $asset): JsonResponse
         if ($request->has('model_id')) {
             $asset->model()->associate(AssetModel::find($request->validated()['model_id']));
         }
-        if ($request->has('company_id')) {
-            $asset->company_id = Company::getIdForCurrentUser($request->validated()['company_id']);
-        }
         if ($request->has('rtd_location_id') && !$request->has('location_id')) {
             $asset->location_id = $request->validated()['rtd_location_id'];
         }

app/Http/Controllers/Api/UsersController.php

@@ -510,6 +510,11 @@ public function update(SaveUserRequest $request, User $user): JsonResponse
 
             if ($request->filled('company_id')) {
                 $user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
+
+                // Remove the new company from the fmcs mapping table
+                if (Company::isFullMultipleCompanySupportEnabled() && $user->companies()->get()->contains($request->input('company_id'))) {
+                    $user->companies()->detach($request->input('company_id'));
+                }
             }
 
             if ($user->id == $request->input('manager_id')) {

app/Http/Controllers/Users/BulkUsersController.php

@@ -9,6 +9,7 @@
 use App\Models\License;
 use App\Models\Actionlog;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Group;
 use App\Models\LicenseSeat;
 use App\Models\ConsumableAssignment;
@@ -234,6 +235,13 @@ public function update(Request $request)
             }
         }
 
+        // Remove the new company from the fmcs mapping table
+        if ($request->filled('company_id') && Company::isFullMultipleCompanySupportEnabled()) {
+            foreach ($users as $user) {
+                $user->companies()->detach($request->input('company_id'));
+            }
+        }
+
         return redirect()->route('users.index')
             ->with($return_array);
     }

app/Http/Controllers/Users/UsersController.php

@@ -70,7 +70,16 @@ public function create(Request $request)
 
         $user = new User;
 
-        return view('users/edit', compact('groups', 'userGroups', 'permissions', 'userPermissions'))
+        $fmcs = Company::isFullMultipleCompanySupportEnabled();
+        if ($fmcs) {
+            $companies = Company::pluck('name', 'id');
+            $companyMappings = $user->company_ids();
+        } else {
+            $companies = null;
+            $companyMappings = null;
+        }
+
+        return view('users/edit', compact('groups', 'userGroups', 'permissions', 'userPermissions', 'fmcs', 'companies', 'companyMappings'))
             ->with('user', $user);
     }
 
@@ -156,6 +165,15 @@ public function store(SaveUserRequest $request)
                 $user->groups()->sync([]);
             }
 
+            // Update the company mappings after removing the own company from the input, only super user are allowed to change the mappings
+            if (Company::isFullMultipleCompanySupportEnabled() && auth()->user()->isSuperUser()) {
+                $company_mappings = $request->input('companyMappings');
+                if ($company_mappings && ($key = array_search($user->company_id, $company_mappings)) !== false) {
+                    unset($company_mappings[$key]);
+                }
+                $user->companies()->sync($company_mappings);
+            }
+
             return Helper::getRedirectOption($request, $user->id, 'Users')
                 ->with('success', trans('admin/users/message.success.create'));
         }
@@ -206,7 +224,16 @@ public function edit(User $user)
             $userPermissions = Helper::selectedPermissionsArray($permissions, $user->permissions);
             $permissions = $this->filterDisplayable($permissions);
 
-            return view('users/edit', compact('user', 'groups', 'userGroups', 'permissions', 'userPermissions'))->with('item', $user);
+            $fmcs = Company::isFullMultipleCompanySupportEnabled();
+            if ($fmcs) {
+                $companies = Company::pluck('name', 'id');
+                $companyMappings = $user->company_ids();
+            } else {
+                $companies = null;
+                $companyMappings = null;
+            }
+
+            return view('users/edit', compact('user', 'groups', 'userGroups', 'permissions', 'userPermissions', 'fmcs', 'companies', 'companyMappings'))->with('item', $user);
         }
 
     }
@@ -327,6 +354,15 @@ public function update(SaveUserRequest $request, User $user)
         app(ImageUploadRequest::class)->handleImages($user, 600, 'avatar', 'avatars', 'avatar');
         session()->put(['redirect_option' => $request->get('redirect_option')]);
 
+        // Update the company mappings after removing the own company from the input, only super user are allowed to change the mappings
+        if (Company::isFullMultipleCompanySupportEnabled() && auth()->user()->isSuperUser()) {
+            $company_mappings = $request->input('companyMappings');
+            if ($company_mappings && ($key = array_search($user->company_id, $company_mappings)) !== false) {
+                unset($company_mappings[$key]);
+            }
+            $user->companies()->sync($company_mappings);
+        }
+
         if ($user->save()) {
             // Redirect to the user page
             return Helper::getRedirectOption($request, $user->id, 'Users')
@@ -482,8 +518,17 @@ public function getClone(Request $request, User $user)
 
             $userPermissions = Helper::selectedPermissionsArray($permissions, $clonedPermissions);
 
+            $fmcs = Company::isFullMultipleCompanySupportEnabled();
+            if ($fmcs) {
+                $companies = Company::pluck('name', 'id');
+                $companyMappings = $user_to_clone->company_ids();
+            } else {
+                $companies = null;
+                $companyMappings = null;
+            }
+
             // Show the page
-            return view('users/edit', compact('permissions', 'userPermissions'))
+            return view('users/edit', compact('permissions', 'userPermissions', 'fmcs', 'companies', 'companyMappings'))
                 ->with('user', $user)
                 ->with('groups', Group::pluck('name', 'id'))
                 ->with('userGroups', $userGroups)

app/Http/Requests/UpdateAssetRequest.php

@@ -4,6 +4,7 @@
 
 use App\Http\Requests\Traits\MayContainCustomFields;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Setting;
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Validation\Rule;
@@ -21,6 +22,13 @@ public function authorize()
         return Gate::allows('update', $this->asset);
     }
 
+    public function prepareForValidation(): void
+    {
+        $this->merge([
+            'company_id' => Company::getIdForCurrentUser($this->company_id),
+        ]);
+    }
+
     /**
      * Get the validation rules that apply to the request.
      *

app/Models/Accessory.php

@@ -63,7 +63,7 @@ class Accessory extends SnipeModel
         'name'              => 'required|min:3|max:255',
         'qty'               => 'required|integer|min:1',
         'category_id'       => 'required|integer|exists:categories,id',
-        'company_id'        => 'integer|nullable',
+        'company_id'        => 'integer|nullable|fmcs_validator',
         'location_id'       => 'exists:locations,id|nullable|fmcs_location',
         'min_amt'           => 'integer|min:0|nullable',
         'purchase_cost'     => 'numeric|nullable|gte:0|max:9999999999999',

app/Models/Asset.php

@@ -103,7 +103,7 @@ public function declinedCheckout(User $declinedBy, $signature)
         'status_id'         => ['required', 'integer', 'exists:status_labels,id'],
         'asset_tag'         => ['required', 'min:1', 'max:255', 'unique_undeleted:assets,asset_tag', 'not_array'],
         'name'              => ['nullable', 'max:255'],
-        'company_id'        => ['nullable', 'integer', 'exists:companies,id'],
+        'company_id'        => ['nullable', 'integer', 'exists:companies,id', 'fmcs_validator'],
         'warranty_months'   => ['nullable', 'numeric', 'digits_between:0,240'],
         'last_checkout'     => ['nullable', 'date_format:Y-m-d H:i:s'],
         'last_checkin'      => ['nullable', 'date_format:Y-m-d H:i:s'],

app/Models/Company.php

@@ -75,7 +75,7 @@ final class Company extends SnipeModel
         'notes',
     ];
 
-    private static function isFullMultipleCompanySupportEnabled()
+    public static function isFullMultipleCompanySupportEnabled()
     {
         $settings = Setting::getSettings();
 
@@ -109,21 +109,12 @@ public static function getIdFromInput($unescaped_input)
      */
     public static function getIdForCurrentUser($unescaped_input)
     {
-        if (! static::isFullMultipleCompanySupportEnabled()) {
-            return static::getIdFromInput($unescaped_input);
+        $current_user = auth()->user();
+        $input = static::getIdFromInput($unescaped_input);
+        if (static::canManageUsersCompanies()) {
+            return $input;
         } else {
-            $current_user = auth()->user();
-
-            // Super users should be able to set a company to whatever they need
-            if ($current_user->isSuperUser()) {
-                return static::getIdFromInput($unescaped_input);
-            } else {
-                if ($current_user->company_id != null) {
-                    return $current_user->company_id;
-                } else {
-                    return null;
-                }
-            }
+            return $current_user->company_id;
         }
     }
 
@@ -165,14 +156,17 @@ public static function isCurrentUserHasAccess($companyable)
 
         if (auth()->user()) {
             // Log::warning('Companyable is '.$companyable);
-            $current_user_company_id = auth()->user()->company_id;
+            $current_user = auth()->user();
             $companyable_company_id = $companyable->company_id;
 
             // Set this to check companyable on company
             if ($companyable instanceof Company) {
                 $companyable_company_id = $companyable->id;
             }
-            return ($current_user_company_id == null) || ($current_user_company_id == $companyable_company_id) || auth()->user()->isSuperUser();
+
+            return ($current_user->company_id == null
+                    || $current_user->company_ids()->contains($companyable_company_id)
+                    || $current_user->isSuperUser());
         }
 
         return false;
@@ -186,8 +180,11 @@ public static function isCurrentUserAuthorized()
 
     public static function canManageUsersCompanies()
     {
-        return ! static::isFullMultipleCompanySupportEnabled() || auth()->user()->isSuperUser() ||
-                auth()->user()->company_id == null;
+        $current_user = auth()->user();
+        return (!static::isFullMultipleCompanySupportEnabled()
+                || $current_user->isSuperUser()
+                || $current_user->company_id == null
+                || $current_user->company_ids()->count() > 1);
     }
 
     /**
@@ -300,7 +297,11 @@ private static function scopeCompanyablesDirectly($query, $column = 'company_id'
 
         // If we are scoping the companies table itself, look for the company.id
         if ($query->getModel()->getTable() == 'companies') {
-            return $query->where('companies.id', '=', $company_id);
+            if ($company_id != null) {
+                return $query->whereIn('companies.id', auth()->user()->company_ids());
+            } else {
+                return $query->where('companies.id', '=', null);
+            }
         }
 
 
@@ -310,7 +311,11 @@ private static function scopeCompanyablesDirectly($query, $column = 'company_id'
             // Dynamically get the table name if it's not passed in, based on the model we're querying against
             $table = ($table_name) ? $table_name."." : $query->getModel()->getTable().".";
 
-            return $query->where($table.$column, '=', $company_id);
+            if ($company_id != null) {
+                return $query->whereIn($table.$column, auth()->user()->company_ids());
+            } else {
+                return $query->where($table.$column, '=', null);
+            }
         }
 
 

app/Models/Component.php

@@ -39,7 +39,7 @@ class Component extends SnipeModel
         'qty'            => 'required|integer|min:1',
         'category_id'    => 'required|integer|exists:categories,id',
         'supplier_id'    => 'nullable|integer|exists:suppliers,id',
-        'company_id'     => 'integer|nullable|exists:companies,id',
+        'company_id'     => 'integer|nullable|exists:companies,id|fmcs_validator',
         'location_id'    => 'exists:locations,id|nullable|fmcs_location',
         'min_amt'        => 'integer|min:0|nullable',
         'purchase_date'   => 'date_format:Y-m-d|nullable',

app/Models/Department.php

@@ -33,7 +33,7 @@ class Department extends SnipeModel
     protected $rules = [
         'name'                  => 'required|max:255|is_unique_department',
         'location_id'           => 'numeric|nullable',
-        'company_id'            => 'numeric|nullable',
+        'company_id'            => 'numeric|nullable|fmcs_validator',
         'manager_id'            => 'numeric|nullable',
     ];