Let's make auto routes disable

My plan was to get the user status in the base controller constructor and then execute a permissions check in each method by default. That would avoid the pitfalls of using filters or auto routing?

Yes. If you protect the controller method directly, I mean you ensure permissions are always checked,
you won't make this vulnerability of auto routing and filters.

If you check the permissions in the controller constructor, it always runs when the controller is created and it can't be bypassed.
PHP language ensures it.

This vulnerability will be created when a controller method is accessible by a way that a developer does not expect,
and there is a way to bypass a checking, e.g. there is another route with no filters.

---

Another example is CSRF protection bypass.
The CSRF protection is also implemented as a controller filter, and it does not protect GET requests.
It is specification of the CSRF protection.

And auto routes make all controller methods accessible with GET requests.
So if a attacker makes a visitor to send GET request to an important controller method,
CSRF protection never protects.
But if you check the request method in the controller method, CSRF attack never succeed.
See https://codeigniter4.github.io/CodeIgnit...erequisite

That's helpful information right there. That might have slipped by me. I am getting a message that the getMethod method is deprecated but I just made up a method to run a check. Good deal!
Thanks again.