Patrick Bass Area: mobieusHelp (audit p7) · Surface: platform/src/Models/Helpdesk/HelpdeskSettings.php · Dimension: dead-code · Severity: major
The 'requester_verification_required' setting is editable and saved from the helpdesk admin settings UI, but no code path ever reads requesterVerificationRequired() to decide whether to require email verification. Portal ticket submission always issues and consumes a verification token regardless of this toggle. The admin control therefore does nothing — toggling it off does not disable requester verification. This is worse than plain dead code: it presents a configurable option that silently has no effect.
Evidence
Accessor at platform/src/Models/Helpdesk/HelpdeskSettings.php:50 `public static function requesterVerificationRequired(): bool { return (bool) (self::get()['requester_verification_required'] ?? 1); }`. The column is in DEFAULTS (line 36) and the update() allow-list (line 68/78) so the admin Settings page can toggle it. But grep for any consumer of the accessor: `grep -rn "requesterVerificationRequired" /home/patrick/mobieus-io --include='*.php' | grep -v "function requesterVerificationRequired"` => 0. Portal verification is instead always performed unconditionally: PortalController.php:182 calls PortalVerification::issueAndSend(...) and PortalController.php:195 PortalVerification::consume(...) with no requesterVerificationRequired() gate.Suggested fix. Gate the PortalController verification flow on HelpdeskSettings::requesterVerificationRequired() (skip issueAndSend/consume when false, e.g. allow anonymous-but-unverified submission), OR remove both the accessor and the 'requester_verification_required' setting column + admin toggle so operators are not misled into thinking it is enforced. Verify the intended behavior before choosing.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
