Unrestricted StreamController access

[ghost]

1. "stream" route has a lack of validation giving an access to "edit" and "update" to any authenticated user
2. StreamController has an another privileges validation only on "store" request
3. StreamService is also may be manipulated just by adding an extra "approved" entry in "update" form request. That's an admin tier thing

PoC

• At this moment http://reps.ru/stream/39/edit page is accessible on any non-admin account. You can change the id to whatever you want
• A few code snippets for "update" route manipulations here

routes/web.php has only "logged-in" restriction

209 Route::group(['middleware' => 'auth'], function () { 
212  Route::get('/{id}/edit', 'StreamController@edit')->name('stream.edit');
213  Route::post('/{id}/update', 'StreamController@save')->name('stream.update');

app/Http/Controllers/StreamController.php treated methods

108 public function edit($stream_id)
110  return view('stream.edit')->with(['stream'=> $this->getStreamObject($stream_id)]);
...
118 public function save(StreamUpdateRequest $request, $stream_id)
123  StreamService::updateStream($request, $stream);

app/Services/Stream/StreamService.php is also hooked

55  public static function updateStream(Request $request, Stream $stream)
59    if (!$request->has('approved')) {
60        $stream_data['approved'] = "0";
63   Stream::where('id', $stream->id)->update($stream_data);

[widedeveloper]

Fixed it. @nl169 if there are any issues, comment here