Casazen Booking Controller Exposes All Endpoints Without Authentication After Debugging Code Left in Production

A critical authorization bypass vulnerability has been identified in Casazen's booking system, leaving all booking endpoints accessible without authentication. The issue stems from an authorization attribute that was commented out in the BookingsController during debugging and never re-enabled before deployment. Security researchers reviewing the codebase flagged the exposed endpoints as a direct risk to booking data integrity and user privacy.

The affected endpoints span the full booking lifecycle: POST /api/bookings (create), PUT /api/bookings/{id} (update), DELETE /api/bookings/{id} (cancel), POST /api/bookings/{id}/check-in, POST /api/bookings/{id}/check-out, GET /api/bookings (list), and GET /api/bookings/calendar. The root cause is documented in Casazen.Web/Controllers/BookingsController.cs at lines 14–15, where the authorization decorator reads: "// TEMPORARY: Disabled for debugging - Re-enable in production!" The comment itself signals awareness that the change was intentional but temporary, raising questions about deployment review processes.

The impact extends beyond data exposure. The broken check-in and check-out flows directly threaten the system's compliance with Italian reporting requirements under D.L. 286/1998 for Alloggiati Web submissions. Unauthenticated access to booking records also creates potential for data manipulation, fraudulent reservations, and privacy violations. Immediate remediation requires re-enabling the [Authorize(Policy = PropertyOwner)] attribute on the controller. Pending the fix, the system should be flagged as non-compliant with its regulatory obligations and subject to heightened monitoring for unauthorized access patterns.