## Laravel Code Review – UserController@store ### 1. Severity-Ranked Findings CRITICAL – Mass Assignment Vulnerability User::create($request->all()) passes all request data unfiltered to the model. An attacker can set fields like role, is_admin, or email_verified_at by adding them to the request payload. Fix: Use a Form Request with explicit validation rules, then pass only validated data via $request->validated(). HIGH – Synchronous Email Blocks the Request Mail::to(...)->send(...) runs in the request lifecycle. If SMTP is slow or down, the user waits or gets a 500. Fix: Queue the mail via Mail::to(...)->queue(...). Transforms 2-5s requests into <100ms responses. MEDIUM – No Validation Visible No FormRequest, no validation in the method. Email format, password rules, uniqueness — all missing or implicit. Fix: Create StoreUserRequest with rules() covering all fields. MEDIUM – Hardcoded Redirect redirect('/dashboard') ignores intended URLs. Use redirect()->intended('/dashboard') for better UX. LOW – Missing Return Type Add : RedirectResponse for clarity and IDE support. ### 2. Laravel-Specific Checks - Mass assignment protection: bypassed - Validation: missing - Queue usage: not used for mail - Authorization: no Policy/Gate check - Rate limiting: no throttle middleware ### 3. Refactoring Suggestion Before: Controller handles validation, creation, mailing, and redirect inline. After: Extract to a UserRegistrationService. Controller becomes thin: receives StoreUserRequest, delegates to service, redirects. Rationale: Service is testable in isolation, controller is one job, future channels plug into the service. ### 4. Positive Observations - Method is short and readable - Uses Mail facade correctly with typed Mailable