Problem
UserController has no explicit authorization — all three methods (index, edit, update) rely solely on route-level middleware with no defense-in-depth. NotificationController::store() uses abort_unless(isAn('admin')) instead of Gate::authorize, inconsistent with the rest of the application.
Additionally, UserController::update() allows an admin to demote themselves, which could lock them out of admin functions.
Required Changes
UserController: add Gate::authorize('access-admin') at the start of index(), edit(), and update()UserController::update(): add guard to prevent self-demotion (abort_if($user->id === $request->user()->id && $validated['role'] !== 'admin', 422))NotificationController::store(): replace abort_unless with Gate::authorize('access-admin')
Files
app/Http/Controllers/Admin/UserController.phpapp/Http/Controllers/Admin/NotificationController.php
Problem
UserControllerhas no explicit authorization — all three methods (index,edit,update) rely solely on route-level middleware with no defense-in-depth.NotificationController::store()usesabort_unless(isAn('admin'))instead ofGate::authorize, inconsistent with the rest of the application.Additionally,
UserController::update()allows an admin to demote themselves, which could lock them out of admin functions.Required Changes
UserController: addGate::authorize('access-admin')at the start ofindex(),edit(), andupdate()UserController::update(): add guard to prevent self-demotion (abort_if($user->id === $request->user()->id && $validated['role'] !== 'admin', 422))NotificationController::store(): replaceabort_unlesswithGate::authorize('access-admin')Files
app/Http/Controllers/Admin/UserController.phpapp/Http/Controllers/Admin/NotificationController.php