Summary
Multiple critical authorization vulnerabilities allow unauthenticated issue manipulation and systemic cross-project data access by any authenticated worker.
Findings
1. Unauthenticated issue option mutation (CRITICAL)
routes/web/projects.php line 113 — PATCH issues/{issue}/options is defined outside all middleware groups. No auth middleware, no $this->authorize(). Any user (including unauthenticated, with CSRF token) can change priority, status, and assigned person of any issue.
2. Unauthenticated issue comment routes (HIGH)
routes/web/projects.php lines 118-120 — Issue comment store/update/destroy routes are outside all middleware groups.
3. Missing authorization on Job update/delete/destroy (HIGH)
JobsController.php — update(), destroy(), tasksReorder() have no $this->authorize(). JobPolicy::update() and JobPolicy::delete() exist (require admin) but are never invoked. Compare with show() and edit() which DO call $this->authorize('view', $job) — classic 1-of-N.
4. Missing authorization on all Task mutations (HIGH)
Projects/TasksController.php — Zero $this->authorize() calls. TaskPolicy exists with admin-only create/delete but is never used.
5. Missing authorization on Issue CRUD (HIGH)
Projects/IssueController.php — No authorize calls in any of 7 methods.
6. Missing authorization on Project Jobs (HIGH)
Projects/JobsController.php — No authorize calls. Any worker can create/view jobs in any project.
7. File IDOR (MEDIUM)
Projects/FilesController.php — show(), update(), destroy() have no ownership check.
8. Activity log exposure & API bypass (MEDIUM)
Projects/ActivityController.php and Api/ProjectsController.php bypass worker scoping.
Root Cause
Laravel Policies are defined but never invoked by controllers. Issue routes are accidentally placed outside the middleware group closure.
Recommended Fix
- Move issue option/comment routes inside the
auth middleware group
- Add
$this->authorize() calls in all controller methods matching existing policies
- Scope API queries to authorized projects for worker role
Summary
Multiple critical authorization vulnerabilities allow unauthenticated issue manipulation and systemic cross-project data access by any authenticated worker.
Findings
1. Unauthenticated issue option mutation (CRITICAL)
routes/web/projects.phpline 113 —PATCH issues/{issue}/optionsis defined outside all middleware groups. Noauthmiddleware, no$this->authorize(). Any user (including unauthenticated, with CSRF token) can change priority, status, and assigned person of any issue.2. Unauthenticated issue comment routes (HIGH)
routes/web/projects.phplines 118-120 — Issue comment store/update/destroy routes are outside all middleware groups.3. Missing authorization on Job update/delete/destroy (HIGH)
JobsController.php—update(),destroy(),tasksReorder()have no$this->authorize().JobPolicy::update()andJobPolicy::delete()exist (require admin) but are never invoked. Compare withshow()andedit()which DO call$this->authorize('view', $job)— classic 1-of-N.4. Missing authorization on all Task mutations (HIGH)
Projects/TasksController.php— Zero$this->authorize()calls.TaskPolicyexists with admin-only create/delete but is never used.5. Missing authorization on Issue CRUD (HIGH)
Projects/IssueController.php— No authorize calls in any of 7 methods.6. Missing authorization on Project Jobs (HIGH)
Projects/JobsController.php— No authorize calls. Any worker can create/view jobs in any project.7. File IDOR (MEDIUM)
Projects/FilesController.php—show(),update(),destroy()have no ownership check.8. Activity log exposure & API bypass (MEDIUM)
Projects/ActivityController.phpandApi/ProjectsController.phpbypass worker scoping.Root Cause
Laravel Policies are defined but never invoked by controllers. Issue routes are accidentally placed outside the middleware group closure.
Recommended Fix
authmiddleware group$this->authorize()calls in all controller methods matching existing policies