GHSA-f946-9qp6-vgch: shopper/framework: Authorization bypass in multiple Livewire admin components

Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission:

• Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with read_orders only and did not require edit_orders. capturePayment could trigger an actual PSP capture.
• Order shipments table actions (mark delivered, edit tracking) were callable with browse_orders only.
• Sub-form Livewire components for products (Edit, Inventory, Seo, Shipping, Files) had no authorization on store(), so any authenticated panel user could mutate product data without edit_products.
• Settings/Team/Index had no mount() authorization at all — any authenticated user could create roles and delete other users.
• Settings/Team/RolePermission gated its write actions on the read-only view_users permission, allowing privilege escalation via the RBAC system itself.
• PaymentMethods, Currencies, Carriers table toggles and per-record actions had no per-action permission check.
• Customers/Create::store() re-passed a Hidden _password form field into the create payload.

Several public Eloquent model properties on Livewire components were not #[Locked], allowing client-side ID tampering.

A stored XSS surface existed on the product barcode field, which is rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}.