From 0fed553207383f384b93cba24d28122065fa67d5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 25 Mar 2026 19:33:51 +0100
Subject: [PATCH] fix(settings): require instance admin authorization for
 updates page

---
 app/Livewire/Settings/Updates.php             |  3 ++
 .../SettingsUpdatesAuthorizationTest.php      | 41 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 tests/Feature/SettingsUpdatesAuthorizationTest.php

diff --git a/app/Livewire/Settings/Updates.php b/app/Livewire/Settings/Updates.php
index 01a67c38c..a200ef689 100644
--- a/app/Livewire/Settings/Updates.php
+++ b/app/Livewire/Settings/Updates.php
@@ -25,6 +25,9 @@ class Updates extends Component
 
     public function mount()
     {
+        if (! isInstanceAdmin()) {
+            return redirect()->route('dashboard');
+        }
         if (! isCloud()) {
             $this->server = Server::findOrFail(0);
         }
diff --git a/tests/Feature/SettingsUpdatesAuthorizationTest.php b/tests/Feature/SettingsUpdatesAuthorizationTest.php
new file mode 100644
index 000000000..5a062101a
--- /dev/null
+++ b/tests/Feature/SettingsUpdatesAuthorizationTest.php
@@ -0,0 +1,41 @@
+<?php
+
+use App\Livewire\Settings\Updates;
+use App\Models\InstanceSettings;
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Once;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+test('non-admin user is redirected from settings updates page', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'member']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(Updates::class)
+        ->assertRedirect(route('dashboard'));
+});
+
+test('instance admin can access settings updates page', function () {
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    Server::factory()->create(['id' => 0, 'team_id' => $rootTeam->id]);
+    InstanceSettings::create(['id' => 0]);
+    Once::flush();
+
+    $user = User::factory()->create();
+    $rootTeam->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(Updates::class)
+        ->assertOk()
+        ->assertNoRedirect();
+});