Prevent unauthorized access to device graphs

Users could access info for the wrong device by piggyback on port permissions

app/Http/Controllers/DeviceController.php

@@ -72,6 +72,12 @@ class DeviceController extends Controller
         if ($current_tab == 'port') {
             $vars = Url::parseLegacyPath($request->path());
             $port = Port::findOrFail($vars->get('port'));
+
+            // This prevents users from traversal device id's by piggybacking on the auth for the specified port
+            if ($port->device_id !== $device_id) {
+                abort(404);
+            }
+
             $this->authorize('view', $port);
         } else {
             $this->authorize('view', $device);