Security: Missing authorization in Livewire components allows privilege escalation #143
Description
Summary
Multiple Livewire components lack server-side authorization checks, allowing any authenticated user to perform admin operations and manipulate other users' data.
Findings
1. Admin privilege escalation via RolesDialog (HIGH)
All administration routes (/administration/*) are protected only by auth middleware — no permission checks. The RolesDialog Livewire component's save() method creates/modifies roles with syncPermissions() and no authorization check. Any authenticated user can navigate to /administration/roles and grant themselves all permissions.
Files: routes/web.php lines 62-72, app/Http/Livewire/Administration/RolesDialog.php
2. Ticket field modification without ownership or permission checks (HIGH)
Six TicketDetails sub-components (Content.php, Title.php, Status.php, Priority.php, Type.php, Responsible.php) perform no authorization in save(). The CanAccessTicket middleware only gates page load, not Livewire method invocations. In contrast, Kanban.php correctly checks can('Update all tickets') and can('Update own tickets') — classic 1-of-N inconsistency.
3. Comment edit/delete IDOR (HIGH)
TicketDetailsCommentsContent.php — updateComment(), save(), and doDeleteComment() accept arbitrary comment IDs without ownership check. Blade template restricts buttons to owners, but Livewire methods are directly callable via POST to /livewire/message.
4. All admin Livewire components lack authorization (HIGH)
UsersDialog, CompaniesDialog, TicketPrioritiesDialog, TicketStatusesDialog, TicketTypesDialog — none check permissions in save() or doDelete*().
5. Project IDOR (MEDIUM)
ProjectsDialog.php — save() and doDeleteProject() don't verify ownership.
Root Cause
The application relies exclusively on UI-level permission enforcement (navigation menu visibility, blade @if conditions). Livewire methods are directly callable via HTTP POST, bypassing all UI restrictions.
Recommended Fix
Add $this->authorize() or auth()->user()->can() checks to all Livewire component action methods, matching the pattern already used in Kanban.php. Add can: middleware to administration routes.