fix(model): remove role and api_token from User $fillable

ardelato · ardelato · commit e0c5e09112e7 · 2026-04-24T10:24:07.000-07:00
These sensitive fields were mass-assignable, enabling privilege
escalation if any controller passed unfiltered request data to
User::update() or User::create(). All call sites that previously
set role via mass assignment now use direct property assignment.
diff --git a/app/Console/Commands/UserCreate.php b/app/Console/Commands/UserCreate.php
@@ -101,7 +101,6 @@ public function handle(DiscourseService $discourseService): void
                 'name' => $name,
                 'email' => $email,
                 'password' => Hash::make($password),
-                'role' => $role,
                 'recovery' => substr(bin2hex(openssl_random_pseudo_bytes(32)), 0, 24),
                 'recovery_expires' => strftime('%Y-%m-%d %X', time() + (24 * 60 * 60)),
                 'calendar_hash' => Str::random(15),
@@ -118,6 +117,9 @@ public function handle(DiscourseService $discourseService): void
 
             if ($user)
             {
+                $user->role = $role;
+                $user->save();
+
                 $this->info("User created {$user->name} (#{$user->id})");
                 $this->info("Role: {$this->getRoleName($user->role)}");
 
diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php
@@ -5,6 +5,7 @@
 use Illuminate\Routing\Controllers\HasMiddleware;
 use Illuminate\Routing\Controllers\Middleware;
 use App\Http\Controllers\Controller;
+use App\Models\Role;
 use App\Models\User;
 use Illuminate\Foundation\Auth\RegistersUsers;
 use Illuminate\Support\Facades\Hash;
@@ -62,11 +63,13 @@ protected function create(array $data): User
                                 'name' => $data['name'],
                                 'email' => $data['email'],
                                 'password' => Hash::make($data['password']),
-            'role' => 4,
             'recovery' => substr(bin2hex(openssl_random_pseudo_bytes(32)), 0, 24),
             'recovery_expires' => strftime('%Y-%m-%d %X', time() + (24 * 60 * 60)),
                             ]);
 
+        $user->role = Role::RESTARTER;
+        $user->save();
+
         Session::createSession($user->id);
 
         return $user;
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -1007,7 +1007,6 @@ public function postRegister(Request $request, $hash = null): RedirectResponse
                 'name' => $request->input('name'),
                 'email' => $request->input('email'),
                 'password' => Hash::make($request->input('password')),
-                'role' => $role,
                 'recovery' => substr(bin2hex(openssl_random_pseudo_bytes(32)), 0, 24),
                 'recovery_expires' => strftime('%Y-%m-%d %X', time() + (24 * 60 * 60)),
                 'country_code' => $request->input('country'),
@@ -1017,6 +1016,9 @@ public function postRegister(Request $request, $hash = null): RedirectResponse
                 'calendar_hash' => Str::random(15),
                 'username' => '',
             ]);
+
+            $user->role = $role;
+            $user->save();
         }
 
         $user->generateAndSetUsername();
diff --git a/app/Models/User.php b/app/Models/User.php
@@ -40,8 +40,11 @@ class User extends Authenticatable implements Auditable, HasLocalePreference
      *
      * @var array
      */
+    // Note: `role` and `api_token` are intentionally excluded from $fillable.
+    // They must be set via direct assignment ($user->role = X; $user->save())
+    // to prevent privilege escalation via mass assignment (security: C2/M1).
     protected $fillable = [
-        'name', 'email', 'password', 'role', 'recovery', 'recovery_expires', 'language', 'repair_network', 'location', 'age', 'gender', 'country_code', 'newsletter', 'invites', 'biography', 'consent_future_data', 'consent_past_data', 'consent_gdpr', 'number_of_logins', 'latitude', 'longitude', 'last_login_at', 'api_token', 'access_group_tag_id', 'calendar_hash', 'repairdir_role', 'mediawiki', 'username', 'external_user_id', 'external_username',
+        'name', 'email', 'password', 'recovery', 'recovery_expires', 'language', 'repair_network', 'location', 'age', 'gender', 'country_code', 'newsletter', 'invites', 'biography', 'consent_future_data', 'consent_past_data', 'consent_gdpr', 'number_of_logins', 'latitude', 'longitude', 'last_login_at', 'access_group_tag_id', 'calendar_hash', 'repairdir_role', 'mediawiki', 'username', 'external_user_id', 'external_username',
     ];
 
     /**
