Regular users with DENY set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize(‘view’) permission being set.
1: Create regular user and set DENY to all permissions in asset models.
2: Login as the user
3: Access asset model ID 1 via http://[SNIPE-URL]/models/1/clone
This vulnerability is capable of users without view asset model permissions can still view asset models via clone endpoint