Critical: MyEventsController has no authentication, systemic IDOR, and SQL injection

[lighthousekeeper1212]

Summary

Systemic authorization failures across the application. The most critical: MyEventsController applies no authentication middleware, making all event management endpoints accessible to unauthenticated users. Combined with IDOR and SQL injection.

Finding 1: CRITICAL - MyEventsController Has No Auth Middleware

File: src/Http/Controllers/MyEventsController.php, lines 34-44

The constructor only applies common middleware (locale), NOT auth:

public function __construct()
{
    $this->middleware('common');  // Only locale, NO auth!
}

ALL event management endpoints are unauthenticated: create/edit events, upload media, set locations/timings/SEO, publish events, delete images.

Finding 2: CRITICAL - get_user_event() Does Not Filter by User

File: src/Models/Event.php, lines 46-51

Despite the method name, it fetches ANY event by ID without user filtering:

public function get_user_event($event_id = null)
{
    return Event::select('events.*')->from('events')
                ->where(['id' => $event_id])
                ->first();  // No user_id filter!
}

The events table has no user_id column, making per-user scoping impossible at the database level.

Finding 3: CRITICAL - Unauthenticated User Enumeration

File: src/Http/Controllers/BookingsController.php, line 30

get_customers is explicitly excluded from auth: $this->middleware('auth')->except('get_customers'). Any unauthenticated user can search users by email and get back name + ID.

Finding 4: HIGH - SQL Injection in Event Search

File: src/Models/Event.php, lines 81-82

Direct string concatenation in whereRaw():

->whereRaw("( title LIKE '%".$params['search']."%' OR venue LIKE '%".$params['search']."%' ...)");

Finding 5: HIGH - Mass Assignment on Event, Booking, and User Models

All three models use $guarded = [] (no protection). Combined with IDOR, attackers can modify any column on any event via updateOrCreate.

Finding 6: MEDIUM - Open Redirect

File: src/Http/Controllers/EventmieController.php, line 89

return redirect($_SERVER['HTTP_REFERER']) - unvalidated redirect.

Finding 7: MEDIUM - Zero Authorization Policies

No Policy classes exist in the entire codebase. No Gates, no authorize() calls in front-end controllers.

Recommended Fix

1. Add auth middleware to MyEventsController
2. Add user_id column to events table and filter by authenticated user
3. Remove except('get_customers') from BookingsController
4. Use parameterized queries instead of whereRaw() with concatenation
5. Replace $guarded = [] with explicit $fillable arrays
6. Add authorization policies for Event, Booking models