Problem
The Aura resource editor is currently protected only by the aura.features.resource_editor flag and an "app resource" check.
That means:
- the
Edit Resource button is rendered for any authenticated user if resource_editor is enabled and the resource is an app resource
- the
aura.resource.editor route (/admin/resources/{slug}/editor) is accessible to any authenticated user under the same condition
- there is no package-level authorization requirement like
isSuperAdmin()
- there is also no package-level environment guard beyond the config value itself
Why this is a problem
In one production app, the feature was enabled and normal users were able to:
- see the
Edit Resource button
- directly open
/admin/resources/markenindex/editor
They still could not necessarily mutate business data, but the route and UI should never have been visible or accessible to non-super-admins.
This is especially risky because the package config may be overridden by the host app. The package default being local-only is not enough as defense-in-depth.
Current package behavior
Relevant places:
resources/views/livewire/resource/index.blade.php renders Edit Resource based on config('aura.features.resource_editor') and $resource->isAppResource() onlysrc/Livewire/ResourceEditor.php only aborts when the feature is disabled or the resource is not an app resource
Expected behavior
I think the package should enforce both:
- local-only by default and ideally also by route/component authorization unless explicitly opted out
- super-admin-only access for the resource editor UI and route
At minimum:
- hide
Edit Resource unless the current user is authorized
- abort
403 on aura.resource.editor unless the current user is authorized
Suggested fix
Add package-level authorization / environment checks in both places:
- button rendering in
resources/views/livewire/resource/index.blade.php
- route/component authorization in
src/Livewire/ResourceEditor.php
Possible approach:
- keep
resource_editor default local-only
- add a dedicated gate/config callback for resource-editor access
- default that gate to local env + privileged user only
Reproduction
- Enable
aura.features.resource_editor
- Log in as a normal authenticated non-admin user
- Visit an app resource index page
- Observe
Edit Resource is visible
- Open
/admin/resources/{slug}/editor
- Observe the page is accessible
Expected result
For non-super-admin users:
- no
Edit Resource button
403 on /admin/resources/{slug}/editor
For production:
- ideally disabled entirely by default unless explicitly and safely overridden
Problem
The Aura resource editor is currently protected only by the
aura.features.resource_editorflag and an "app resource" check.That means:
Edit Resourcebutton is rendered for any authenticated user ifresource_editoris enabled and the resource is an app resourceaura.resource.editorroute (/admin/resources/{slug}/editor) is accessible to any authenticated user under the same conditionisSuperAdmin()Why this is a problem
In one production app, the feature was enabled and normal users were able to:
Edit Resourcebutton/admin/resources/markenindex/editorThey still could not necessarily mutate business data, but the route and UI should never have been visible or accessible to non-super-admins.
This is especially risky because the package config may be overridden by the host app. The package default being
local-only is not enough as defense-in-depth.Current package behavior
Relevant places:
resources/views/livewire/resource/index.blade.phprendersEdit Resourcebased onconfig('aura.features.resource_editor')and$resource->isAppResource()onlysrc/Livewire/ResourceEditor.phponly aborts when the feature is disabled or the resource is not an app resourceExpected behavior
I think the package should enforce both:
At minimum:
Edit Resourceunless the current user is authorized403onaura.resource.editorunless the current user is authorizedSuggested fix
Add package-level authorization / environment checks in both places:
resources/views/livewire/resource/index.blade.phpsrc/Livewire/ResourceEditor.phpPossible approach:
resource_editordefault local-onlyReproduction
aura.features.resource_editorEdit Resourceis visible/admin/resources/{slug}/editorExpected result
For non-super-admin users:
Edit Resourcebutton403on/admin/resources/{slug}/editorFor production: