Security: DevController authorize() method undefined #7
Description
Description
The DevController calls $this->authorize() method which does not appear to be defined or inherited, potentially bypassing authorization checks.
Location
- File: src/Controllers/DevController.php
- Lines: 45, 72, 88
Issue
Multiple controller methods call $this->authorize() without a policy or gate check:
- routes() method line 45
- session() method line 72
- clear() method line 88
However, the Controller base class or its parents would need to provide this method. If this method is not properly defined, it could either:
- Throw a runtime error
- Silently pass if defined as a no-op
- Not enforce the intended authorization
The logs() method notably does NOT call authorize(), which is inconsistent.
Recommendation
- Verify the authorize() method exists in the parent Controller class
- Ensure it performs proper Hades tier validation
- Add authorize() call to logs() method for consistency
- Consider using explicit middleware or policy checks instead
Severity
High - If authorize() does not work as intended, sensitive endpoints may be unprotected