Skip to content

Security: Missing Role Middleware on Critical Endpoints (Timetable Delete, Student Graduation, Marks) #87

New issue
New issue
Open
Open
Security: Missing Role Middleware on Critical Endpoints (Timetable Delete, Student Graduation, Marks)#87
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 4, 2026

Summary

A security audit identified 10 authorization vulnerabilities (3 critical, 4 high, 3 medium) in LAVSMS.

Critical Findings

1. MarkController — ALL Role Middleware COMMENTED OUT (CRITICAL)

File: app/Http/Controllers/SupportTeam/MarkController.php:30

The constructor middleware is commented out:

// $this->middleware('teamSAT', ['except' => ['show', 'year_selected', 'year_selector', 'print_view'] ]);

While some mark routes have route-level middleware, the commented-out controller middleware means intent to protect was disabled.

2. StudentRecordController::not_graduated — Missing Role Check (CRITICAL)

File: app/Http/Controllers/SupportTeam/StudentRecordController.php:104-112

The constructor middleware protects edit, update, reset_pass, create, store, graduated, destroy — but not_graduated is NOT listed. Any authenticated user can un-graduate any student via PUT /students/not_graduated/{id}.

3. TimeTableController::delete_record — Missing Role Check (CRITICAL)

File: routes/web.php:60-69

The timetable records section has teamSA middleware on manage/store/edit/update (lines 60-65), but show_record, print_record, and delete_record are OUTSIDE the middleware group (lines 67-69). Any authenticated user can delete any timetable record.

High-Severity Findings

  1. TimeTableController has NO constructor middleware — relies entirely on route-level groups, creating gaps
  2. Predictable Hashids saltQs.php:81-86 — uses date('dMY').'CJ' as salt, trivially reversible
  3. Admin→Super Admin privilege escalationUserController.php:36,69 — UI hides super_admin type but server doesn't validate
  4. StudentRecordController::show missing role middleware — partially mitigated by in-controller check

Medium-Severity Findings

8-9. Mass assignment via $req->all() in PaymentController and TimeTableController
10. Hashids date rollover causes broken links

Recommended Fix

  1. Uncomment the teamSAT middleware in MarkController
  2. Add not_graduated to the teamSA middleware list in StudentRecordController
  3. Move delete_record route inside the teamSA middleware group
  4. Add server-side role validation in UserController::store()

Root Cause

1-of-N inconsistency: Related methods in the same controller have different middleware coverage. Some are protected, others are forgotten.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions