[SECURITY] Prevent IDOR (Insecure Direct Object Reference) pada Endpoint Berbasis ID

app/Http/Controllers/CMS/ArticleController.php

@@ -78,6 +78,9 @@ public function show($id)
             return redirect(route('articles.index'));
         }
 
+        // IDOR Prevention: Authorization check
+        $this->authorize('view', $article);
+
         return view('articles.show')->with('article', $article);
     }
 
@@ -93,6 +96,9 @@ public function edit($id)
             return redirect(route('articles.index'));
         }
 
+        // IDOR Prevention: Authorization check
+        $this->authorize('update', $article);
+
         return view('articles.edit', $this->getOptionItems($id))->with('article', $article);
     }
 
@@ -108,6 +114,10 @@ public function update($id, UpdateArticleRequest $request)
 
             return redirect(route('articles.index'));
         }
+
+        // IDOR Prevention: Authorization check
+        $this->authorize('update', $article);
+
         $input = $request->all();
         $removeThumbnail = $request->get('remove_thumbnail');
         if ($request->file('foto')) {
@@ -139,6 +149,9 @@ public function destroy($id)
             return redirect(route('articles.index'));
         }
 
+        // IDOR Prevention: Authorization check
+        $this->authorize('delete', $article);
+
         $this->articleRepository->delete($id);
         if (request()->ajax()) {
             return $this->sendSuccess('Artikel berhasil dihapus.');

app/Http/Controllers/GroupController.php

@@ -3,6 +3,7 @@
 namespace App\Http\Controllers;
 
 use App\Models\Team;
+use Illuminate\Support\Facades\Session;
 
 class GroupController extends Controller
 {
@@ -33,8 +34,18 @@ public function create()
 
     public function edit($id)
     {
-        $listPermission = $this->generateListPermission();
+        // IDOR Prevention: Authorization check
         $team = Team::find($id);
+
+        if (! $team) {
+            Session::flash('error', 'Grup tidak ditemukan');
+
+            return redirect(route('groups.index'));
+        }
+
+        $this->authorize('update', $team);
+
+        $listPermission = $this->generateListPermission();
         $isAdmin = $team->name == 'administrator' ? true : false;
 
         return view('group.form', ['id' => $id])->with($listPermission)->with('isAdmin', $isAdmin);

app/Http/Controllers/UserController.php

@@ -186,6 +186,10 @@ public function show($id)
     public function edit($id)
     {
         $user = User::with('team')->where('id', $id)->first();
+
+        // IDOR Prevention: Authorization check
+        $this->authorize('update', $user);
+
         $groups = Team::withoutAdminUsers()->get();
         $team = $user->team->first()->id ?? false;
 
@@ -207,6 +211,9 @@ public function profile($id)
     {
         $user = User::find($id);
 
+        // IDOR Prevention: Authorization check
+        $this->authorize('view', $user);
+
         return view('user.profile', compact('user'));
     }
 
@@ -220,6 +227,9 @@ public function profile($id)
      */
     public function update(UserRequest $request, User $user)
     {
+        // IDOR Prevention: Authorization check
+        $this->authorize('update', $user);
+
         try {
             $currentUser = auth()->user();
 
@@ -316,6 +326,9 @@ public function update(UserRequest $request, User $user)
      */
     public function destroy(User $user)
     {
+        // IDOR Prevention: Authorization check
+        $this->authorize('delete', $user);
+
         try {
             $user->delete();
         } catch (\Exception $e) {
@@ -336,6 +349,9 @@ public function destroy(User $user)
      */
     public function status($id, $status, User $user)
     {
+        // IDOR Prevention: Authorization check
+        $this->authorize('status', $user);
+
         try {
             $user->where('id', '!=', $user->superAdmin())->findOrFail($id)->update(['active' => $status]);
         } catch (\Exception $e) {

app/Policies/ArticlePolicy.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\CMS\Article;
+use App\Models\User;
+
+class ArticlePolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return $user->hasPermissionTo('website-article-read');
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     * 
+     * IDOR Prevention: User hanya bisa melihat article jika:
+     * - Administrator bisa melihat semua article
+     * - User dengan permission read bisa melihat semua article
+     */
+    public function view(User $user, Article $article): bool
+    {
+        return $user->hasPermissionTo('website-article-read');
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return $user->hasPermissionTo('website-article-create');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     * 
+     * IDOR Prevention: User hanya bisa update article jika memiliki permission edit
+     */
+    public function update(User $user, Article $article): bool
+    {
+        return $user->hasPermissionTo('website-article-edit');
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     * 
+     * IDOR Prevention: User hanya bisa delete article jika memiliki permission delete
+     */
+    public function delete(User $user, Article $article): bool
+    {
+        return $user->hasPermissionTo('website-article-delete');
+    }
+}

app/Policies/CustomCSPPolicy.php

@@ -19,7 +19,7 @@ class CustomCSPPolicy extends Basic
     public function configure()
     {
         parent::configure();
-        $currentRoute = Route::getCurrentRoute()->getName();
+        $currentRoute = Route::getCurrentRoute()?->getName() ?? '';
         if (in_array($currentRoute, $this->hasTinyMCE)) {
             $this->addDirective(Directive::IMG, ['blob:'])
                 ->addDirective(Directive::STYLE, ['unsafe-inline']);
@@ -54,7 +54,7 @@ public function configure()
         ])->addDirective(Directive::CONNECT, [
             config('app.serverPantau'),
             config('app.databaseGabunganUrl'),
-        ]);
+        ]);        
     }
 
     public function shouldBeApplied(Request $request, Response $response): bool
@@ -65,11 +65,8 @@ public function shouldBeApplied(Request $request, Response $response): bool
             config(['csp.enabled' => false]);
         }
 
-        // jika mode debug aktif maka disable CSP
-        if (env('APP_DEBUG')) {
-            config(['csp.enabled' => false]);
-        }
-
+        // CSP tetap aktif di semua mode, termasuk debug
+        // Hanya dimatikan untuk route yang di-exclude secara eksplisit
         return config('csp.enabled');
     }
 }

app/Policies/TeamPolicy.php

@@ -0,0 +1,86 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\Team;
+use App\Models\User;
+
+class TeamPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return $user->hasPermissionTo('pengaturan-group-read');
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     * 
+     * IDOR Prevention: User hanya bisa melihat team jika:
+     * - Administrator bisa melihat semua team
+     * - User lain hanya bisa melihat team yang bukan administrator
+     */
+    public function view(User $user, Team $team): bool
+    {
+        // Administrator bisa melihat semua
+        if ($user->hasRole('administrator')) {
+            return true;
+        }
+
+        // User biasa tidak bisa melihat team administrator
+        if ($team->name === 'administrator') {
+            return false;
+        }
+
+        // User bisa melihat team lain
+        return true;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return $user->hasPermissionTo('pengaturan-group-create');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     * 
+     * IDOR Prevention: User hanya bisa update team jika:
+     * - Administrator bisa update semua team
+     * - User lain tidak bisa update team administrator
+     */
+    public function update(User $user, Team $team): bool
+    {
+        // Administrator bisa update semua
+        if ($user->hasRole('administrator')) {
+            return true;
+        }
+
+        // User biasa tidak bisa update team administrator
+        if ($team->name === 'administrator') {
+            return false;
+        }
+
+        return $user->hasPermissionTo('pengaturan-group-edit');
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     * 
+     * IDOR Prevention: User hanya bisa delete team jika:
+     * - Administrator bisa delete semua team (kecuali administrator team)
+     */
+    public function delete(User $user, Team $team): bool
+    {
+        // Tidak bisa delete team administrator
+        if ($team->name === 'administrator') {
+            return false;
+        }
+
+        return $user->hasRole('administrator') && $user->hasPermissionTo('pengaturan-group-delete');
+    }
+}