Skip to content

fix(security): authorize all Livewire write methods (33 forms)#61

Merged
escapeboy merged 1 commit intodevelopfrom
fix/livewire-authorize-rest
May 4, 2026
Merged

fix(security): authorize all Livewire write methods (33 forms)#61
escapeboy merged 1 commit intodevelopfrom
fix/livewire-authorize-rest

Conversation

@escapeboy
Copy link
Copy Markdown
Owner

@escapeboy escapeboy commented May 4, 2026

Summary

Closes the remaining 33 Livewire forms that had save()/write methods without Gate::authorize. Companion to yesterday's fix(security) commit which fixed 2 forms (EditProjectForm + GitRepositoryDetailPage); this commit closes the rest.

Why

In community edition all gates return true (single-team mode). In cloud, CloudServiceProvider overrides:

  • edit-content\$user->teamRole(\$team)->canEdit()
  • manage-team\$user->teamRole(\$team)->canManageTeam()

Without Gate::authorize on Livewire write methods, a cloud team's viewer-role member could submit form POST and mutate team-owned data. Routes are auth-protected but role differentiation was never checked.

Scope

35 Livewire write methods across 33 forms gated:

edit-content (domain content): Agents, Chatbots, Credentials, Crews, Email themes/templates, Git repos, Integrations, Projects, Signal connector setup (rotate/save secret), Skills, Telegram bots, Tools, Toolsets, Triggers, Websites, Workflows.

manage-team (team config): Outbound connectors (SMTP, webhook, notifications, WhatsApp), connector setup secrets.

Tests

  • 3065 base tests pass
  • 6 pre-existing SocialLoginTest failures unchanged (unrelated to sprint, was failing on master before this branch)
  • Pint clean
  • PHPStan clean (no baseline regenerated)

Test plan

  • CI green
  • Existing tests still pass
  • Cloud manual smoke: viewer role gets 403 on save form, owner/admin proceeds normally

🤖 Generated with Claude Code

@escapeboy @claude
fix(security): authorize all 35 Livewire write methods across 33 forms
8312ff3 
Adds Gate::authorize('edit-content') or Gate::authorize('manage-team')
at the top of every public write method on Livewire components that
previously executed without role enforcement. Cloud's role-based gates
checked the user's team role canEdit()/canManageTeam(); without
authorize(), a viewer-role member could submit form POST and mutate
team-owned domain entities.

Scope:
- Domain content forms (edit-content): Telegram bots, Chatbots,
  Skills, Email themes/templates, Toolsets, Websites, Credentials,
  Crews, Tools, Triggers, Agents, Projects, Workflows, Integrations,
  Git repositories, Signal connector setup.
- Team config forms (manage-team): outbound connectors, webhook
  endpoints, signal connector secrets.

Base community gate returns true (single-team mode), so this is a
no-op there. Cloud gate enforces real role checks.

Methods covered: save, delete, toggleStatus, activate, pause, resume,
archive, restart, triggerRun, addPage, deletePage, publishPage,
unpublishPage, publishWebsite, unpublishWebsite, deleteWebsite,
deployWebsite, saveContent, saveSettings, saveCredentials, saveGraph,
saveProxyCredential, saveMemberPolicy, saveTelegramChannel, saveEdit,
publishPage, generateToken, revokeToken, approveCredential,
rejectCredential, rotateSecret, savePastedSecret, setAsDefault,
generateFromPrompt, testConnection, testTrigger, disconnect,
connect, connectOAuth, syncNow, deleteSkill, deleteTheme,
deleteTemplate, deleteCrew, deleteTool, deleteTelegramChannel,
toggleTelegramChannel, toggleActive (webhook).

UI-only methods (cancelEdit, removeRow, toggleWorker pre-save,
updatedSearch) intentionally not gated — no DB writes.

Tests: 3065 pass, 6 pre-existing SocialLoginTest failures unchanged
(unrelated to this sprint). Pint clean. PHPStan clean (no baseline
regenerated).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@escapeboy escapeboy merged commit 837044f into develop May 4, 2026
2 checks passed
@escapeboy escapeboy deleted the fix/livewire-authorize-rest branch May 4, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@escapeboy