This release closes a class of missing-authorization gaps in the admin panel where low-privilege users could invoke destructive Livewire actions directly, and adds Turkish translations.
Highlights
Authorization hardening across admin Livewire components
Several admin child components exposed destructive Filament actions without a server-side permission check, so an authenticated user holding only access_dashboard could invoke them directly over the Livewire endpoint and delete or mutate commerce-critical data. Every affected action now enforces its permission and client-bound model ids are locked:
- Settings zone, tax zone and carrier option deletion now require
access_setting(carrier option lookups are scoped to the selected zone) - Team admin deletion requires
access_setting - Variant stock mutation requires
edit_product_variants - Collection product removal (single and bulk) requires
delete_collections - Bulk enable/disable on brands, categories and suppliers require
edit_*; bulk delete and toggle on attributes and tags requiredelete_*/edit_* - Product media update requires
edit_products
This resolves the privately reported settings deletion bypass along with the related advisories GHSA-f7h9-qv4x-9x57, GHSA-2cg9-97gq-9mqp, GHSA-g3f9-g5vj-p62f, GHSA-243p-f3cv-c5wh, GHSA-j328-xmgp-j4q3 and GHSA-99h5-jhh7-v3r3.
Turkish translations
The admin panel and core strings are now available in Turkish.
Security
- fix(admin): enforce authorization on unguarded settings and bulk actions by @mckenziearts in #570
New Features
- feat: add Turkish language translations by @yellow-three in #568
Contributors
Full Changelog: v2.9.1...v2.9.2
