Security: Self-registration grants full admin + unauthenticated site settings + checkout routes

[lighthousekeeper1212]

Summary

A security audit identified 9 authorization vulnerabilities (3 Critical, 4 High, 2 Medium) in velstore.

Critical Findings

1. Self-Registration Grants Full Admin Access (CRITICAL)

routes/web.php:44 — Auth::routes() enables registration. The admin panel (/admin/*) only uses middleware('auth') with no role check. Any self-registered user gets full admin access to products, orders, vendors, customers, settings, and payment gateways.

2. Site Settings Routes Outside Auth Middleware (CRITICAL)

routes/web.php:158-160 — Three site settings routes are defined OUTSIDE the admin middleware group:

Route::get('site-settings', ...);
Route::get('site-settings/edit', ...);
Route::put('site-settings/update', ...);

Any anonymous user can view and modify all site settings (site name, meta tags, contact info, footer).

3. Checkout + Stripe Routes Unauthenticated (CRITICAL)

routes/store.php:43-44,81 — Checkout and Stripe routes have no auth. The Stripe endpoint creates a hardcoded $10.00 payment intent regardless of cart contents and returns the Stripe key.

HIGH Findings

• Review submission (store.php:49) — No auth, reviews auto-approved (is_approved => 1)
• Mass assignment in review update — $request->all() allows overwriting customer_id, product_id
• Vendor cross-deletion — Vendor can delete entire multi-vendor order (not just own line items)
• Wrong auth guard in checkout — Uses Auth::id() (web guard) instead of customer guard, orders get null user

Recommended Fixes

1. Disable registration or add role middleware: Auth::routes(['register' => false])
2. Move site settings routes inside the admin middleware group
3. Add auth.customer middleware to checkout/payment routes
4. Tie Stripe payment amount to actual cart total
5. Scope vendor order deletion to only their line items

Disclosure

Filed in good faith. No exploit code provided.