security: high-severity fixes (api throttle, fillable, idor, path, rel)

- Add 60 req/min throttle to the public API group and a stricter 10 req/min
  throttle to POST /highscores.
- Replace mass-assigned $guarded=[] with explicit $fillable on User, Meetup,
  Course, Lecturer, and SelfHostedService. created_by stays out of the
  whitelist; the existing creating() hooks continue to populate it.
- Require authenticated user on Api/MeetupController::index instead of
  trusting the user_id query parameter (IDOR).
- Constrain the /img and /img-public route paths to a safe character set
  and reject any path containing ".." in ImageController.
- Add rel="noopener noreferrer" to every target="_blank" link on the meetup
  and course landing pages.

app/Http/Controllers/Api/MeetupController.php

@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Api;
 
 use App\Http\Controllers\Controller;
 use App\Models\Meetup;
-use App\Models\User;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\Request;
 
@@ -17,14 +16,10 @@ class MeetupController extends Controller
 
     public function index(Request $request)
     {
-        if (!is_numeric($request->input('user_id'))) {
-            abort(404);
-        }
+        $user = $request->user();
+        abort_unless($user, 401);
 
-        $myMeetupIds = User::query()
-            ->findOrFail($request->input('user_id'))
-            ?->meetups
-            ->pluck('id');
+        $myMeetupIds = $user->meetups->pluck('id');
 
         return Meetup::query()
             ->select('id', 'name', 'city_id', 'slug')

app/Http/Controllers/ImageController.php

@@ -12,6 +12,8 @@ class ImageController extends Controller
 {
     public function __invoke(Request $request, $path)
     {
+        abort_if(str_contains($path, '..'), 404);
+
         $source = new \League\Flysystem\Filesystem(
             new \League\Flysystem\Local\LocalFilesystemAdapter(storage_path('app'))
         );

app/Models/Course.php

@@ -20,11 +20,13 @@ class Course extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'lecturer_id',
+        'description',
+    ];
 
     /**
      * The attributes that should be cast to native types.

app/Models/Lecturer.php

@@ -22,11 +22,24 @@ class Lecturer extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'slug',
+        'subtitle',
+        'intro',
+        'description',
+        'active',
+        'website',
+        'twitter_username',
+        'nostr',
+        'lightning_address',
+        'lnurl',
+        'node_id',
+        'paynym',
+        'team_id',
+    ];
 
     /**
      * The attributes that should be cast to native types.

app/Models/Meetup.php

@@ -23,11 +23,25 @@ class Meetup extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'slug',
+        'city_id',
+        'intro',
+        'telegram_link',
+        'webpage',
+        'twitter_username',
+        'matrix_group',
+        'nostr',
+        'nostr_status',
+        'simplex',
+        'signal',
+        'community',
+        'github_data',
+        'visible_on_map',
+    ];
 
     /**
      * The attributes that should be cast to native types.

app/Models/SelfHostedService.php

@@ -22,7 +22,22 @@ class SelfHostedService extends Model implements HasMedia
     use HasTags;
     use InteractsWithMedia;
 
-    protected $guarded = [];
+    /**
+     * @var array<int, string>
+     */
+    protected $fillable = [
+        'name',
+        'slug',
+        'type',
+        'intro',
+        'url_clearnet',
+        'url_onion',
+        'url_i2p',
+        'url_pkdns',
+        'ip',
+        'contact',
+        'anon',
+    ];
 
     protected $casts = [
         'id' => 'integer',

app/Models/User.php

@@ -24,7 +24,28 @@ class User extends Authenticatable implements CipherSweetEncrypted
     use Notifiable;
     use UsesCipherSweet;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'email_verified_at',
+        'remember_token',
+        'profile_photo_path',
+        'public_key',
+        'is_lecturer',
+        'is_leader',
+        'current_team_id',
+        'current_language',
+        'timezone',
+        'lightning_address',
+        'lnurl',
+        'node_id',
+        'paynym',
+        'nostr',
+        'lnbits',
+        'change',
+        'change_time',
+    ];
 
     /**
      * The attributes that should be hidden for serialization.