Summary
Multiple Livewire components lack server-side authorization checks, allowing any authenticated user to perform admin operations and manipulate other users' data.
Findings
1. Admin privilege escalation via RolesDialog (HIGH)
All administration routes (/administration/*) are protected only by auth middleware — no permission checks. The RolesDialog Livewire component's save() method creates/modifies roles with syncPermissions() and no authorization check. Any authenticated user can navigate to /administration/roles and grant themselves all permissions.
Files: routes/web.php lines 62-72, app/Http/Livewire/Administration/RolesDialog.php
2. Ticket field modification without ownership or permission checks (HIGH)
Six TicketDetails sub-components (Content.php, Title.php, Status.php, Priority.php, Type.php, Responsible.php) perform no authorization in save(). The CanAccessTicket middleware only gates page load, not Livewire method invocations. In contrast, Kanban.php correctly checks can('Update all tickets') and can('Update own tickets') — classic 1-of-N inconsistency.
3. Comment edit/delete IDOR (HIGH)
TicketDetailsCommentsContent.php — updateComment(), save(), and doDeleteComment() accept arbitrary comment IDs without ownership check. Blade template restricts buttons to owners, but Livewire methods are directly callable via POST to /livewire/message.
4. All admin Livewire components lack authorization (HIGH)
UsersDialog, CompaniesDialog, TicketPrioritiesDialog, TicketStatusesDialog, TicketTypesDialog — none check permissions in save() or doDelete*().
5. Project IDOR (MEDIUM)
ProjectsDialog.php — save() and doDeleteProject() don't verify ownership.
Root Cause
The application relies exclusively on UI-level permission enforcement (navigation menu visibility, blade @if conditions). Livewire methods are directly callable via HTTP POST, bypassing all UI restrictions.
Recommended Fix
Add $this->authorize() or auth()->user()->can() checks to all Livewire component action methods, matching the pattern already used in Kanban.php. Add can: middleware to administration routes.
Summary
Multiple Livewire components lack server-side authorization checks, allowing any authenticated user to perform admin operations and manipulate other users' data.
Findings
1. Admin privilege escalation via RolesDialog (HIGH)
All administration routes (
/administration/*) are protected only byauthmiddleware — no permission checks. TheRolesDialogLivewire component'ssave()method creates/modifies roles withsyncPermissions()and no authorization check. Any authenticated user can navigate to/administration/rolesand grant themselves all permissions.Files:
routes/web.phplines 62-72,app/Http/Livewire/Administration/RolesDialog.php2. Ticket field modification without ownership or permission checks (HIGH)
Six TicketDetails sub-components (
Content.php,Title.php,Status.php,Priority.php,Type.php,Responsible.php) perform no authorization insave(). TheCanAccessTicketmiddleware only gates page load, not Livewire method invocations. In contrast,Kanban.phpcorrectly checkscan('Update all tickets')andcan('Update own tickets')— classic 1-of-N inconsistency.3. Comment edit/delete IDOR (HIGH)
TicketDetailsCommentsContent.php—updateComment(),save(), anddoDeleteComment()accept arbitrary comment IDs without ownership check. Blade template restricts buttons to owners, but Livewire methods are directly callable via POST to/livewire/message.4. All admin Livewire components lack authorization (HIGH)
UsersDialog,CompaniesDialog,TicketPrioritiesDialog,TicketStatusesDialog,TicketTypesDialog— none check permissions insave()ordoDelete*().5. Project IDOR (MEDIUM)
ProjectsDialog.php—save()anddoDeleteProject()don't verify ownership.Root Cause
The application relies exclusively on UI-level permission enforcement (navigation menu visibility, blade
@ifconditions). Livewire methods are directly callable via HTTP POST, bypassing all UI restrictions.Recommended Fix
Add
$this->authorize()orauth()->user()->can()checks to all Livewire component action methods, matching the pattern already used inKanban.php. Addcan:middleware to administration routes.