Summary
Unifiedtransform uses Spatie permissions on only 4 of 16 controllers, with the remaining 12 controllers having zero authorization middleware. The Blade templates use @if(Auth::user()->role == "admin") to hide menu items, but this is UI-only — the endpoints remain accessible to any authenticated user (students, teachers).
Vulnerability Class
CWE-862: Missing Authorization — Server-side authorization checks are absent on most controllers. The application relies on UI-based visibility to restrict access rather than server-side enforcement.
Pattern: store() Protected, update()/delete() Not
Many controllers have FormRequest authorize() on store() but use raw Request on update(), edit(), and delete():
Critical Findings
-
Student/Teacher Profile Update IDOR (UserController.php:148,167): updateStudent() and updateTeacher() don't verify the authenticated user is an admin — any authenticated user can modify any student/teacher profile.
-
Mark System No Authorization (MarkController.php): Zero constructor middleware — any authenticated user (including students) can create/edit/view marks.
High Findings
-
Event CRUD (EventController.php:38-68): calendarEvents() handles create/edit/delete via a type switch with no authorization — any user can create, edit, or delete school events.
-
Exam Controller (ExamController.php): No constructor middleware — exam management accessible to all roles.
-
Promotion Controller (PromotionController.php:124): Student promotion (moving students to next class) without authorization.
-
Section Update (SectionController.php:115): update() unprotected while store() has FormRequest.
-
Course Update (CourseController.php:113): Same 1-of-N pattern — update() lacks auth.
-
Exam Rule Edit/Update (ExamRuleController.php:96,113): edit() and update() unprotected.
-
Grade Rule Delete (GradeRuleController.php:111): destroy() has no authorization.
-
Routine Controller (RoutineController.php): No constructor middleware.
Medium Findings
-
Role in fillable (User.php:39): role field is in the $fillable array, potentially allowing role escalation via mass assignment.
-
Notice form exposure (NoticeController.php): No middleware.
-
Syllabus Controller (SyllabusController.php): No middleware.
-
Grading System (GradingSystemController.php): No middleware.
-
Teacher Course Enumeration (AssignedTeacherController.php): No middleware.
-
Assignment Controller (AssignmentController.php): No middleware.
-
Student Course IDOR: Students can access courses they're not enrolled in.
Root Cause
Only 4 of 16 controllers apply authorization middleware:
SchoolClassController — can:view classesUserController — can:view users (but this permission is granted to ALL roles, negating protection)AttendanceController — can:view attendancesAcademicSettingController — can:view academic settings
The remaining 12 controllers have zero authorization. The left-menu Blade template hides admin links from non-admin users, but the underlying routes are accessible to anyone with a session.
Suggested Fix
Add Spatie permission middleware to all controllers:
// In each controller constructor:
public function __construct() {
$this->middleware('permission:manage events'); // or appropriate permission
}Or add policy-based authorization to individual methods.
Impact
Any authenticated user (student or teacher) can:
- Modify marks/grades
- Create/delete school events
- Promote students between classes
- Edit exam rules and grade rules
- Modify courses and sections
- Access and modify other users' profiles
This affects the integrity of the entire school management system.
Summary
Unifiedtransform uses Spatie permissions on only 4 of 16 controllers, with the remaining 12 controllers having zero authorization middleware. The Blade templates use
@if(Auth::user()->role == "admin")to hide menu items, but this is UI-only — the endpoints remain accessible to any authenticated user (students, teachers).Vulnerability Class
CWE-862: Missing Authorization — Server-side authorization checks are absent on most controllers. The application relies on UI-based visibility to restrict access rather than server-side enforcement.
Pattern: store() Protected, update()/delete() Not
Many controllers have FormRequest
authorize()onstore()but use rawRequestonupdate(),edit(), anddelete():Critical Findings
Student/Teacher Profile Update IDOR (
UserController.php:148,167):updateStudent()andupdateTeacher()don't verify the authenticated user is an admin — any authenticated user can modify any student/teacher profile.Mark System No Authorization (
MarkController.php): Zero constructor middleware — any authenticated user (including students) can create/edit/view marks.High Findings
Event CRUD (
EventController.php:38-68):calendarEvents()handles create/edit/delete via atypeswitch with no authorization — any user can create, edit, or delete school events.Exam Controller (
ExamController.php): No constructor middleware — exam management accessible to all roles.Promotion Controller (
PromotionController.php:124): Student promotion (moving students to next class) without authorization.Section Update (
SectionController.php:115):update()unprotected whilestore()has FormRequest.Course Update (
CourseController.php:113): Same 1-of-N pattern —update()lacks auth.Exam Rule Edit/Update (
ExamRuleController.php:96,113):edit()andupdate()unprotected.Grade Rule Delete (
GradeRuleController.php:111):destroy()has no authorization.Routine Controller (
RoutineController.php): No constructor middleware.Medium Findings
Role in fillable (
User.php:39):rolefield is in the$fillablearray, potentially allowing role escalation via mass assignment.Notice form exposure (
NoticeController.php): No middleware.Syllabus Controller (
SyllabusController.php): No middleware.Grading System (
GradingSystemController.php): No middleware.Teacher Course Enumeration (
AssignedTeacherController.php): No middleware.Assignment Controller (
AssignmentController.php): No middleware.Student Course IDOR: Students can access courses they're not enrolled in.
Root Cause
Only 4 of 16 controllers apply authorization middleware:
SchoolClassController—can:view classesUserController—can:view users(but this permission is granted to ALL roles, negating protection)AttendanceController—can:view attendancesAcademicSettingController—can:view academic settingsThe remaining 12 controllers have zero authorization. The left-menu Blade template hides admin links from non-admin users, but the underlying routes are accessible to anyone with a session.
Suggested Fix
Add Spatie permission middleware to all controllers:
Or add policy-based authorization to individual methods.
Impact
Any authenticated user (student or teacher) can:
This affects the integrity of the entire school management system.