Security: Multi-school isolation bypass via assignment operator bugs in Policies + missing authorization

[lighthousekeeper1212]

Summary

Multiple authorization vulnerabilities allow cross-school data access and unauthorized operations.

Finding 1: Assignment operator (=) instead of comparison (==) in Policies

UserPolicy.php line 96:

if ($user->can('lock user account') && $model->school_id = $user->school_id) {

Uses = (assignment) instead of == (comparison). Always evaluates to true, bypassing multi-school isolation.

SchoolPolicy.php line 28:

if ($user->can('read school') && $user->school_id = $school->id) {

Same bug. Compare with update() at line 53 which correctly uses ==.

Finding 2: Missing authorization on custom controller actions

• SubjectController::assignTeacher() (line 97): No $this->authorize() call. authorizeResource() in constructor only covers standard CRUD methods.
• GraduationController::resetGraduation() (line 59): No authorization. Siblings index(), graduateView(), graduate() all call $this->authorize().

Finding 3: Missing school isolation in Policies

• ExamRecordPolicy: view/update/delete methods are empty (return null) - no school_id check.
• TimetableTimeSlotPolicy: create/update/delete check capability but never verify the resource belongs to the user's school.

Suggested Fix

1. Change = to == in UserPolicy line 96 and SchoolPolicy line 28
2. Add $this->authorize() to SubjectController::assignTeacher and GraduationController::resetGraduation
3. Add school_id checks to ExamRecordPolicy and TimetableTimeSlotPolicy