security: round 1 — quick wins (rate limiting, headers, mass assignment, logging)
- Add throttle middleware to login (5/min), portal/token-auth (10/min), volunteer-register (5/min), and invitation routes (10/min) - Set Sanctum token expiration to 7 days - Remove billing_status from UpdateOrganisationRequest (super_admin only) - Revoke all Sanctum tokens on password reset - Strengthen password rules: min 8 chars, mixed case, numbers - Create SecurityHeaders middleware (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) - Fix open redirect on all 3 login pages (validate ?to= starts with /) - Set APP_DEBUG=false in .env.example - Log failed login attempts with email, IP, user-agent - Log authorization failures (403) with user, IP, path, method - Harden mass assignment: remove user_id from Person, audit fields from ShiftAssignment, system fields from UserInvitation $fillable - Replace real DB records with factory make() in mail preview routes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -57,7 +57,6 @@ final class VolunteerRegistrationService
|
||||
'email' => $email,
|
||||
],
|
||||
[
|
||||
'user_id' => $user->id,
|
||||
'crowd_type_id' => $volunteerCrowdType->id,
|
||||
'first_name' => $validated['first_name'] ?? $user->first_name,
|
||||
'last_name' => $validated['last_name'] ?? $user->last_name,
|
||||
@@ -75,6 +74,10 @@ final class VolunteerRegistrationService
|
||||
]
|
||||
);
|
||||
|
||||
// Set user_id explicitly (not mass-assignable)
|
||||
$person->user_id = $user->id;
|
||||
$person->save();
|
||||
|
||||
$this->syncAvailabilities($person, $festivalEvent, $validated['availabilities'] ?? []);
|
||||
|
||||
if (!empty($validated['field_values'])) {
|
||||
|
||||
Reference in New Issue
Block a user