Shopper Framework: Missing Authorization on Sub-form Livewire Components
Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) in the product editor had no authorization on their store() method, allowing any authenticated panel user to mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products.
What changed
Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) in the product editor had no authorization on their store() method, allowing any authenticated panel user to mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The product ID was a public Livewire property without #[Locked], enabling client-side tampering.
Who it affects
All authenticated panel users of shopper/framework versions prior to v2.8.0.
What to do today
Upgrade to v2.8.0 using 'composer require shopper/admin:^2.8'.