Fix Broken Access Control (CWE-285) and update CLAUDE.md

CLAUDE.md

@@ -196,6 +196,9 @@ $user->isEditor(); // true if editor
 - **Route Constraints**: All slug routes have `[a-z0-9\-]+` regex constraints
 - **File Upload Validation**: Featured images require explicit MIME type allowlist
 - **Mass Assignment**: `role` field is excluded from `$fillable` on User model to prevent privilege escalation
+- **Ownership Authorization**: Articles, Pages and Media now track `user_id` ownership
+- **Policy Enforcement**: Laravel Policies ensure only admins or resource owners can update/delete records
+- **Query Scoping**: Non-admin users can only view their own resources in Filament admin panel
 
 ### Database
 - SQLite by default (`database/database.sqlite`)

app/Filament/Resources/Articles/ArticleResource.php

@@ -13,6 +13,7 @@
 use Filament\Schemas\Schema;
 use Filament\Support\Icons\Heroicon;
 use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
 
 class ArticleResource extends Resource
 {
@@ -30,6 +31,18 @@ public static function table(Table $table): Table
         return ArticlesTable::configure($table);
     }
 
+    public static function getEloquentQuery(): Builder
+    {
+        $query = parent::getEloquentQuery();
+
+        // Non-admin users can only see their own articles
+        if (auth()->check() && !auth()->user()->isAdmin()) {
+            $query->where('user_id', auth()->id());
+        }
+
+        return $query;
+    }
+
     public static function getRelations(): array
     {
         return [

app/Filament/Resources/Media/MediaResource.php

@@ -8,6 +8,7 @@
 use Filament\Resources\Resource;
 use Filament\Support\Icons\Heroicon;
 use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
 use Spatie\MediaLibrary\MediaCollections\Models\Media;
 
 class MediaResource extends Resource
@@ -29,6 +30,18 @@ public static function table(Table $table): Table
         return MediaTable::configure($table);
     }
 
+    public static function getEloquentQuery(): Builder
+    {
+        $query = parent::getEloquentQuery();
+
+        // Non-admin users can only see their own media
+        if (auth()->check() && !auth()->user()->isAdmin()) {
+            $query->where('user_id', auth()->id());
+        }
+
+        return $query;
+    }
+
     public static function getPages(): array
     {
         return [

app/Filament/Resources/Pages/PageResource.php

@@ -13,6 +13,7 @@
 use Filament\Schemas\Schema;
 use Filament\Support\Icons\Heroicon;
 use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
 
 class PageResource extends Resource
 {
@@ -30,6 +31,18 @@ public static function table(Table $table): Table
         return PagesTable::configure($table);
     }
 
+    public static function getEloquentQuery(): Builder
+    {
+        $query = parent::getEloquentQuery();
+
+        // Non-admin users can only see their own pages
+        if (auth()->check() && !auth()->user()->isAdmin()) {
+            $query->where('user_id', auth()->id());
+        }
+
+        return $query;
+    }
+
     public static function getRelations(): array
     {
         return [

app/Models/Article.php

@@ -11,6 +11,7 @@
 class Article extends Model
 {
     protected $fillable = [
+        'user_id',
         'category_id',
         'title',
         'slug',
@@ -29,6 +30,11 @@ class Article extends Model
     protected static function booted(): void
     {
         static::creating(function (Article $article) {
+            // Auto-assign current user ID when creating
+            if (empty($article->user_id) && auth()->check()) {
+                $article->user_id = auth()->id();
+            }
+
             if (empty($article->slug)) {
                 $baseSlug = Str::slug($article->title);
                 $slug = $baseSlug;
@@ -52,6 +58,11 @@ public function category(): BelongsTo
         return $this->belongsTo(Category::class);
     }
 
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
     public function views(): HasMany
     {
         return $this->hasMany(ArticleView::class);

app/Models/Media.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Spatie\MediaLibrary\MediaCollections\Models\Media as BaseMedia;
+
+class Media extends BaseMedia
+{
+    protected $fillable = [
+        'user_id',
+        'model_type',
+        'model_id',
+        'uuid',
+        'collection_name',
+        'name',
+        'file_name',
+        'mime_type',
+        'disk',
+        'conversions_disk',
+        'size',
+        'manipulations',
+        'custom_properties',
+        'generated_conversions',
+        'responsive_images',
+        'order_column',
+    ];
+
+    protected static function booted(): void
+    {
+        static::creating(function (Media $media) {
+            // Auto-assign current user ID when creating
+            if (empty($media->user_id) && auth()->check()) {
+                $media->user_id = auth()->id();
+            }
+        });
+    }
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

app/Models/Page.php

@@ -11,6 +11,7 @@
 class Page extends Model
 {
     protected $fillable = [
+        'user_id',
         'parent_id',
         'title',
         'slug',
@@ -28,6 +29,11 @@ class Page extends Model
     protected static function booted(): void
     {
         static::creating(function (Page $page) {
+            // Auto-assign current user ID when creating
+            if (empty($page->user_id) && auth()->check()) {
+                $page->user_id = auth()->id();
+            }
+
             if (empty($page->slug)) {
                 $baseSlug = Str::slug($page->title);
                 $slug = $baseSlug;
@@ -54,6 +60,11 @@ public function parent(): BelongsTo
         return $this->belongsTo(Page::class, 'parent_id');
     }
 
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
     public function children(): HasMany
     {
         return $this->hasMany(Page::class, 'parent_id')->orderBy('sort_order');

app/Models/User.php

@@ -7,6 +7,7 @@
 use Filament\Models\Contracts\FilamentUser;
 use Filament\Panel;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 
@@ -73,4 +74,19 @@ public function isEditor(): bool
     {
         return $this->role === UserRole::Editor;
     }
+
+    public function articles(): HasMany
+    {
+        return $this->hasMany(Article::class);
+    }
+
+    public function pages(): HasMany
+    {
+        return $this->hasMany(Page::class);
+    }
+
+    public function media(): HasMany
+    {
+        return $this->hasMany(Media::class);
+    }
 }

app/Policies/ArticlePolicy.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\Article;
+use App\Models\User;
+
+class ArticlePolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, Article $article): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return $user->isAdmin() || $user->isEditor();
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, Article $article): bool
+    {
+        // Admin can update anything, Editor can only update their own
+        return $user->isAdmin() || $article->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, Article $article): bool
+    {
+        // Admin can delete anything, Editor can only delete their own
+        return $user->isAdmin() || $article->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, Article $article): bool
+    {
+        return $user->isAdmin() || $article->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, Article $article): bool
+    {
+        return $user->isAdmin();
+    }
+}

app/Policies/MediaPolicy.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\Media;
+use App\Models\User;
+
+class MediaPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, Media $media): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return $user->isAdmin() || $user->isEditor();
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, Media $media): bool
+    {
+        // Admin can update anything, Editor can only update their own
+        return $user->isAdmin() || $media->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, Media $media): bool
+    {
+        // Admin can delete anything, Editor can only delete their own
+        return $user->isAdmin() || $media->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, Media $media): bool
+    {
+        return $user->isAdmin() || $media->user_id === $user->id;
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, Media $media): bool
+    {
+        return $user->isAdmin();
+    }
+}