27-05-2026 DHL Modul v2.1 / Optimierung tracking

app/Http/Controllers/ModalController.php

@@ -172,6 +172,7 @@ class ModalController extends Controller
             }
 
             if ($data['action'] === 'create-dhl-shipment') {
+                $this->authorizeDhlShipmentModal();
                 $id = $data['id'] ?? null;
                 $ret = $this->handleDhlShipmentModal($id, $data);
             }
@@ -202,6 +203,23 @@ class ModalController extends Controller
         return null;
     }
 
+    /**
+     * Ensure the current user is allowed to use the DHL shipment modal.
+     *
+     * The DHL cockpit is an admin-only tool. Without this guard a logged-in
+     * CRM user could call `POST /modal/load` with `action=create-dhl-shipment`
+     * and an arbitrary order id and would receive that order's recipient
+     * name, address, e-mail and existing shipments (IDOR).
+     */
+    private function authorizeDhlShipmentModal(): void
+    {
+        $user = \Auth::user();
+
+        if (! $user || ! method_exists($user, 'isAdmin') || ! $user->isAdmin()) {
+            abort(403, 'DHL shipment modal is only available for admin users.');
+        }
+    }
+
     /**
      * Handle DHL shipment modal preparation
      *