security: 2026-06-11 稽核修補——封鎖 admin/register P0 漏洞、is_verified 業務約束、預約核心測試 #28
Reference in New Issue
Block a user
Delete Branch "fix/audit-remediation"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
摘要
依
docs/analysis/2026-06-11-spec-implementation-audit.md稽核報告執行四階段修補。變更內容
🔴 P0:封鎖公開 admin 註冊
POST /api/admin/register路由、AuthController::registerAdmin、對應 Swagger 文件php artisan app:create-admin(密碼門檻 min:8),管理員一律由主機端建立AdminAccountCreationTest4 案例防止端點被重新打開🟠 P1:is_verified 最小業務語意
DivingOffer::visibleToPublicscope:未驗證教練課程從公開列表排除、詳情 404;provider_idnull 不受限toggle-verified後 flushdiving_offers快取,切換立即生效provider-verification規格 +DivingOfferVisibilityTest7 案例🟠 P1:規格漂移
login-rate-limiting規格同步至實作值 10/min🟡 P2:預約核心測試(39 案例)
規格清理
auth-test-coveragePurpose、member-portal-uirepo 描述、admin-auth補端點測試
容器內
php artisan test:146 passed / 378 assertions 全綠。(本機 laragon PHP 缺 GD,CourseImageTest 需在容器內跑)
行為變更提醒
POST /api/admin/register的工具(如 Postman collection)需改用app:create-admin🤖 Generated with Claude Code