Severity: LOW
Location: src/Middleware/AdminMiddleware.php:29-41
Bug: Inconsistent redundant check; could become wrong if middleware order changes.
Fix: Stash validated user in request context from AuthMiddleware; reuse.
Status: open. Will reply with remediation details when resolved.
Resolved.
AdminMiddleware now refuses access unless $_SESSION['_auth_validated_at'] is set — a cheap sentinel that AuthMiddleware writes on every successful validation pass. If someone ever rearranges the middleware order and AdminMiddleware runs without AuthMiddleware having validated the session first, admin access is denied rather than silently allowed based on a stale $_SESSION['user_id'].
Current route registrations put AuthMiddleware first, so there's no behavioural change in production — this is a defence-in-depth guard against future misconfig.
Locking this thread.