From 9582880dbfd911d454d854b3a59f59b84245c701 Mon Sep 17 00:00:00 2001
From: HolgerHatGarKeineNode
 <123783602+HolgerHatGarKeineNode@users.noreply.github.com>
Date: Sun, 17 May 2026 15:12:49 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20**Enforce=20authorization=20for?=
 =?UTF-8?q?=20meetup=20edit=20and=20update=20views**=20Added=20`authorizeA?=
 =?UTF-8?q?ccess`=20method=20to=20restrict=20access=20to=20the=20meetup's?=
 =?UTF-8?q?=20creator,=20ensuring=20proper=20authorization=20during=20view?=
 =?UTF-8?q?=20rendering=20and=20updates.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 resources/views/livewire/meetups/edit.blade.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/resources/views/livewire/meetups/edit.blade.php b/resources/views/livewire/meetups/edit.blade.php
index d3a8c95..14134c9 100644
--- a/resources/views/livewire/meetups/edit.blade.php
+++ b/resources/views/livewire/meetups/edit.blade.php
@@ -83,6 +83,18 @@ class extends Component {
         \Flux\Flux::modal('add-city')->close();
     }
 
+    /**
+     * Enforce that only the meetup's creator may load or update this view.
+     * Mirrors services/edit and lecturer-edit. Removing this guard reopens
+     * the IDOR closed by 90835f8 (security: critical fixes / edit authz).
+     */
+    protected function authorizeAccess(): void
+    {
+        if (! is_null($this->meetup->created_by) && auth()->id() !== $this->meetup->created_by) {
+            abort(403);
+        }
+    }
+
     /**
      * Whitelist the keys allowed inside github_data and coerce types so a
      * tampered payload cannot smuggle arbitrary keys into the stored JSON.
@@ -114,6 +126,8 @@ class extends Component {
 
     public function mount(): void
     {
+        $this->authorizeAccess();
+
         $this->meetup->load('media');
 
         // Basic Information
@@ -146,6 +160,8 @@ class extends Component {
 
     public function updateMeetup(): void
     {
+        $this->authorizeAccess();
+
         $validated = $this->validate([
             'name' => ['required', 'string', 'max:255', Rule::unique('meetups')->ignore($this->meetup->id)],
             'city_id' => ['nullable', 'exists:cities,id'],