From b1560015aeaf80b4c7351c0569f5352fcf5dd49f Mon Sep 17 00:00:00 2001
From: Deon George <deon@dege.au>
Date: Thu, 17 Oct 2024 16:25:49 +1100
Subject: [PATCH] Allow users to update their auto_hold status

---
 app/Http/Controllers/SystemController.php      | 12 +++++++++---
 resources/views/system/widget/system.blade.php |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/SystemController.php b/app/Http/Controllers/SystemController.php
index 5581c58..7696bfa 100644
--- a/app/Http/Controllers/SystemController.php
+++ b/app/Http/Controllers/SystemController.php
@@ -488,10 +488,16 @@ class SystemController extends Controller
 	public function api_autohold_toggle(Request $request,string $state): array
 	{
 		$o = System::findOrFail($request->id);
-		$o->autohold = $state === 'off' ? FALSE : TRUE;
-		$o->save();
 
-		Log::debug(sprintf('%s:- Autohold set to [%s]',self::LOGKEY,$o->autohold ? 'ON' : 'OFF'));
+		if ($request->user()->can('update_nn',$o)) {
+			$o->autohold = !($state === 'off');
+			$o->save();
+
+			Log::debug(sprintf('%s:- Autohold set to [%s]',self::LOGKEY,$o->autohold ? 'ON' : 'OFF'));
+
+		} else {
+			abort(403);
+		}
 
 		return ['autohold'=>$o->autohold];
 	}
diff --git a/resources/views/system/widget/system.blade.php b/resources/views/system/widget/system.blade.php
index 599914b..f3f6e51 100644
--- a/resources/views/system/widget/system.blade.php
+++ b/resources/views/system/widget/system.blade.php
@@ -303,7 +303,7 @@ use App\Models\{Mailer,User};
 		<div class="row">
 			<div class="col-12">
 				<div class="row p-0">
-					@can('admin',$o)
+					@can('update_nn',$o)
 						<div class="col-6">
 							<label for="autohold" class="form-label">Auto Hold</label>
 							<div class="input-group">