spouliot/PowderCoatingLogix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: add missing class-level [Authorize] on ReleaseNotesController and KioskController

Browse Source 
ReleaseNotesController had [Authorize] only on Index(), leaving the class
unprotected at declaration level — any future unannotated action would be
publicly accessible.

KioskController had no class-level auth, meaning PushSmsConsent() and
CancelSmsConsent() (staff-only POST actions) were reachable by anonymous
callers. [AllowAnonymous] on the existing tablet/intake actions still
overrides correctly, so the customer-facing kiosk flow is unaffected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Pouliot
2026-06-13 21:44:59 -04:00
parent aeec899cf2
commit 9c1beab49e
2 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/PowderCoating.Web/Controllers/KioskController.cs
+1
View File
@@ -26,6 +26,7 @@ namespace PowderCoating.Web.Controllers;
/// When creating new Customer or Job records from the kiosk, CompanyId is set explicitly
/// from session.CompanyId so the EF SaveChanges interceptor doesn't override it with 0.
/// </summary>
[Authorize]
public class KioskController : Controller
{
private const string CookieName = "KioskDevice";