Adds #10578, #18180, (partly) #4651: Printables (dynamic HTML templates)#18804
Draft
AnnikenYT wants to merge 14 commits into
Draft
Adds #10578, #18180, (partly) #4651: Printables (dynamic HTML templates)#18804AnnikenYT wants to merge 14 commits into
AnnikenYT wants to merge 14 commits into
Conversation
- Add `printables` table migration and `category_printable` pivot table migration
- Add `Printable` Eloquent model with `categories()` and `creator()` relationships
- Add `printables()` BelongsToMany relationship to `Category` model
- Add `PrintablePolicy` (maps to categories permission column) and register in AuthServiceProvider
- Add `PrintableService` with `render()`, `renderBulk()`, and `availableVariables()` supporting core variables ({asset_tag}, {model_name}, {serial}, {custom_field_*}, etc.)
- Add `SavePrintableRequest` form request
- Add `PrintablesController` (index/create/store/edit/update/destroy, superuser access)
- Add `getPrintable()` to AssetsController for single-asset printable generation with category association check
- Add `printables` bulk action to BulkAssetsController with printable_id routing
- Add resource route for printables and per-asset generation route in hardware.php
- Add Printables nav link in default layout
- Add printable button blade component (dropdown for multiple templates per category)
- Add bulk-assets UI: printables option + dynamic printable_id selector shown on selection
- Add printables section to category edit view for assignment from category side
- Update CategoriesController create/edit/store/update to handle printable assignment
- Add printer-friendly single-asset show view and bulk-generate view
- Add printables index and edit views (with HTML textarea editor + variable insertion buttons + live preview)
- Add PrintableFactory, feature tests (Ui/PrintablesTest), and unit tests (PrintableServiceTest)
- Add en-US language strings for printables
Agent-Logs-Url: https://github.com/AnnikenYT/snipe-it/sessions/f1974e80-1b21-4de9-8de8-1b6779155418
Co-authored-by: AnnikenYT <61291253+AnnikenYT@users.noreply.github.com>
Note: I intentonally made the design decision to implement the templating from scratch as to not add a heavy dependency such as twig.
Not up to standards ⛔
|
Member
|
This feature sounds pretty interesting! I'm glad you mentioned the XSS issues - it's a big part of why we haven't implemented customized email templates, etc. (Not to mention that some people are pretty bad at HTML, so they'll implement a broken HTML template and then blame it on us, naturally.) I'm still concerned about both of those things, but am curious to see where this goes. |
christian-roeser
added a commit
to christian-roeser/snipe-it
that referenced
this pull request
Apr 16, 2026
Implements the Printables feature (based on PR grokability#18804) with security fixes: - Safe recursive descent expression parser (no eval()) - XSS protection via htmlspecialchars() on variable output - Configurable encrypted field visibility per printable New files: Model, Service, Controller, Policy, Migrations, Views, Tests Modified: AssetsController, BulkAssetsController, CategoriesController, Category model, AuthServiceProvider, routes, layouts, lang (en-US/de-DE)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Before you get a heart attack at the 48,831 deletions, most of them are from d003c57, which I rebased onto my branch (branched off of master instead of develop accidentally).
What this does for the User
This PR allows users to create simple, twig-like HTML templates dynamically (via settings opposed to via file) which can include any field, including custom ones, in whatever way the user sees fit. Once created, these "Printables" can easily be rendered one by one or in bulk for each asset. These can then be simply printed via the browser.
This can be used for a whole bulk of tasks: Handover Forms, Informational Letters, ....
Anything that can be designed in HTML, really. This pretty much Fixes #10578, #18180 and opens the door for #4651, although I don't think it exactly matches their use case.
My personal use-case for this is to create letters for sim cards on checkout:
I'm aware that this is not quite as good as rendering to a PDF, but I wasn't able to figure out a good way to make user-editable PDF's simple enough for a non-technical end-user.
Technical overview
A printable here is a plain HTML string that can contain Twig-Like template strings which contain info about the asset, checked out user or other (current date(time), more to come).
As of right now, any user that can create categories can also create printables - which is only admins and superadmins, if I'm not mistaken.
A user creates a Printable and assigns it to one or more Asset categories. Note that I'm only intending to have these for Assets, not consumables, accessories, components or licenses.
Note that currently, the HTML template straight up gets stored with no sort of sanitization or anything. This obviously opens the door for XSS. The only reason I left it at this is that I'm the only admin in my company, and the only one that creates templates. Obviously that's not good enough for a release though, so Sanitizing this is on my To-Do.
Note that templates can contain encrypted fields. I need this for my use-case, and am aware that this can expose encrypted fields to non-admin users. For my use case this is intended, I'd love to make this configurable though.
For viewing, the template is rendered using the
PrintableTemplateRendererwhich implements variables and a basic expression syntax with support for{% if %} {% elif %} {% else %}and??. I did choose to implement this from scratch, as it seemed easier and more lightweight in comparison to a full templating library like twig.A note on AI usage
I'm ashamed to admit it, but quite a bit of the code in this PR has been written by AI (this text is fully human-written though!). I initially only planned to make these changes as a quick and dirty solution for internal use at my employer, and since my PHP is pretty rusty, I figured this was the best way to go about that. However, I have since checked all generated code, fixed most issues (some are still WIP, hence the draft PR), and extensively tested everything. I'm confident enough to deploy this in my (very well secured and back-up'd) production environment, and am planning to fix any kinks that pop up. There might still be some obvious things I've missed, as I said, my PHP is rusty, Any help is, obviously, appreciated.
Suboptimal commits
During the "Quick and Dirty" phase of this I committed a few things that probably shouldn't be committed, such as the livewire dist and a
composer update. I'll revert these before the final PR.Other than that I think I merged everything correctly, but I'm not a git wizard, so I might've done something wrong somewhere.
To-do