Security: No Authentication Middleware on Admin Routes — Full Unauthenticated Access

[lighthousekeeper1212]

Summary

The admin panel routes are generated without any authentication middleware, allowing unauthenticated access to all admin operations including user creation with role assignment, CRUD generator with Artisan command execution, and settings manipulation.

Root Cause

src/LaravelAdminCommand.php:72-86 generates routes without any middleware:

Route::group(['prefix' => 'admin', 'namespace' => 'App\Http\Controllers\Admin'], function () {
    // ... all admin routes exposed without auth middleware
});

Findings

1. Unauthenticated User Creation with Role Assignment (CRITICAL)

publish/Controllers/Admin/UsersController.php:52-73 — store() creates users with $request->all() (mass assignment) and assigns roles without authentication.

2. Unauthenticated Artisan Command Execution (CRITICAL)

src/Controllers/ProcessController.php:32-117 — CRUD generator runs Artisan::call() for migrations, model/controller generation without authentication.

3. Unauthenticated Role/Permission Management (HIGH)

publish/Controllers/Admin/RolesController.php:51-55 — full CRUD on roles without auth.

4. Unauthenticated Settings Manipulation (HIGH)

publish/Controllers/Admin/SettingsController.php:51-65 — settings read/write without auth.

5. Mass Assignment (HIGH)

UsersController.php:63-66,129-135 uses $request->all() for user create/update.

Recommended Fix

Add auth and admin middleware to the route group in LaravelAdminCommand.php:

Route::group(['prefix' => 'admin', 'middleware' => ['web', 'auth'], 'namespace' => ...], function () {