shopper/framework: Authorization bypass in multiple Livewire admin components
Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with read_orders only and did not require edit_orders. capturePayment could trigger an actual PSP capture. Order shipments table actions (mark delivered, edit tracking) were callable with browse_orders only. Sub-form Livewire components for products (Edit, Inventory, …