Authorization Bypass Vulnerability Exposes Property Management Endpoints in Casazen API

A critical security misconfiguration has rendered all core property management endpoints inoperative while simultaneously exposing the system to unauthorized access. Developers on the Casazen platform discovered that authorization checks have been disabled across six distinct API routes handling property creation, updates, deletions, and image management. The vulnerability stems from commented-out authentication middleware in the PropertiesController, with a developer note indicating the disablement was intended only for debugging purposes.

The affected endpoints include POST /api/properties, PUT /api/properties/{id}, DELETE /api/properties/{id}, POST /api/properties/{id}/images, DELETE /api/properties/{id}/images/{index}, and PUT /api/properties/{id}/images/order. The root cause traces to lines 10-11 in Casazen.Web/Controllers/PropertiesController.cs, where the [Authorize(Policy = PropertyOwner)] attribute was disabled with a temporary debugging note. This misconfiguration causes the endpoints to return 400 Bad Request errors for legitimate users attempting to manage their properties, while leaving the routes accessible without credentials to any party capable of reaching the API.

The dual impact presents an immediate operational and security crisis. Users are locked out of property creation and management functionality, halting core platform operations. More critically, the exposed endpoints create a vector for unauthorized property manipulation, data integrity compromise, and potential abuse. The issue requires urgent re-enablement of the [Authorize] attribute and verification that the frontend application properly transmits valid JWT tokens in authorization headers. Until remediation is confirmed, all property-related transactions should be considered untrusted and potentially compromised.