Security: Unauthenticated site settings, no admin role enforcement, cross-vendor IDOR #187
Description
Summary
Multiple auth/authz vulnerabilities allow unauthenticated site modification, any registered user to access admin panel, and cross-vendor data manipulation.
Findings
1. Unauthenticated site settings modification (CRITICAL)
routes/web.php lines 158-160 — SiteSettings routes defined outside the admin middleware group. No auth middleware. Any unauthenticated user can PUT /site-settings/update to change site name, tagline, SEO metadata, contact info, footer text.
2. No role enforcement on admin panel (HIGH)
routes/web.php line 46 — Admin routes use only middleware('auth') with no role check. No is_admin column, no Gate/Policy, no Spatie permissions. The default /register route (Laravel Auth::routes()) creates User records that automatically have full admin access. Any self-registered user is a full administrator.
3. Cross-vendor order deletion (HIGH)
Vendor/OrderController.php — destroy() uses whereHas checking the order contains at least one product from the vendor. Multi-vendor orders can be deleted by any participating vendor, destroying the other vendor's records.
4. Cross-vendor social media link IDOR (HIGH)
Vendor/SocialMediaLinkRepository.php — find(), update(), delete() have no vendor_id scoping. SocialMediaLink model has no vendor_id column. Any vendor can modify/delete any social media link.
5. Unauthenticated product review (MEDIUM)
routes/store.php line 49 — POST /product/review/store requires no auth. Auth::guard('customer')->id() returns null for guests. Reviews auto-approved.
6. Vendor profile password update without current password verification (LOW)
Vendor/ProfileController.php — Skips Hash::check() for current password. Admin profile correctly verifies it.
Recommended Fix
- Move SiteSettings routes inside admin middleware group
- Add admin role/permission check to admin routes
- Scope vendor queries by authenticated vendor_id
- Require auth on review submission