Patrick Bass Area: Cross-cutting infra (audit p14) · Surface: legal/missing.php (rendered by PageController::renderLegalPage fallback) · Dimension: ui-law · Severity: minor
Engineering Law 6 says users should never see internal paths like admin routes. The legal fallback page tells a public visitor to go configure the page at /admin/legal — a path they cannot reach and should not see. It is currently shielded by the static-template fallbacks, but it is a public-facing template that hardcodes an admin path with no role check, so it is a latent Law-6 leak.
Evidence
platform/templates/legal/missing.php:10-11 — `This page hasn't been configured yet. A super admin can populate it via <code>/admin/legal</code>.` This template is rendered by PageController::renderLegalPage() (src/Controllers/PageController.php:102-106) as the final fallback when a legal slug has neither a DB row NOR a static template. It is a PUBLIC route (e.g. /terms, /privacy) with no role gate, so any anonymous visitor who hit it would be shown an internal admin URL. Currently latent: all four standard slugs ship static fallbacks (terms.php/privacy.php/community-guidelines.php/marketplace-rules.php all exist on disk), so line 94's is_file() branch wins and missing.php is not reached today — but it becomes live the moment any static fallback is removed or a new ungated legal slug is added.Suggested fix. Make missing.php show a neutral public message ('This page hasn't been published yet. Please check back soon.') and move any admin guidance behind an `isSuperAdmin` check (the way site-pages/about.php gates its Edit button), so non-admins never see /admin/legal.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
