From 9c1beab49eddc7c77fbb85dac4dab766a1456f2d Mon Sep 17 00:00:00 2001 From: Scott Pouliot Date: Sat, 13 Jun 2026 21:44:59 -0400 Subject: [PATCH] Security: add missing class-level [Authorize] on ReleaseNotesController and KioskController MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ReleaseNotesController had [Authorize] only on Index(), leaving the class unprotected at declaration level — any future unannotated action would be publicly accessible. KioskController had no class-level auth, meaning PushSmsConsent() and CancelSmsConsent() (staff-only POST actions) were reachable by anonymous callers. [AllowAnonymous] on the existing tablet/intake actions still overrides correctly, so the customer-facing kiosk flow is unaffected. Co-Authored-By: Claude Sonnet 4.6 --- src/PowderCoating.Web/Controllers/KioskController.cs | 1 + src/PowderCoating.Web/Controllers/ReleaseNotesController.cs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PowderCoating.Web/Controllers/KioskController.cs b/src/PowderCoating.Web/Controllers/KioskController.cs index bbbcb9b..f899f77 100644 --- a/src/PowderCoating.Web/Controllers/KioskController.cs +++ b/src/PowderCoating.Web/Controllers/KioskController.cs @@ -26,6 +26,7 @@ namespace PowderCoating.Web.Controllers; /// When creating new Customer or Job records from the kiosk, CompanyId is set explicitly /// from session.CompanyId so the EF SaveChanges interceptor doesn't override it with 0. /// +[Authorize] public class KioskController : Controller { private const string CookieName = "KioskDevice"; diff --git a/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs b/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs index adca6a5..6ebeaae 100644 --- a/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs +++ b/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs @@ -16,6 +16,7 @@ namespace PowderCoating.Web.Controllers; /// SuperAdmins because only platform staff should author release content. /// /// +[Authorize] public class ReleaseNotesController : Controller { private readonly IUnitOfWork _unitOfWork; @@ -34,7 +35,6 @@ public class ReleaseNotesController : Controller /// newest-first. Drafts are invisible to ordinary users so SuperAdmins can /// prepare notes in advance without surfacing them prematurely. /// - [Authorize] public async Task Index() { var notes = (await _unitOfWork.ReleaseNotes.FindAsync(r => r.IsPublished))