Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission with empty HTTP path matches all routes #5739

Open
anxgstadler opened this issue Mar 20, 2023 · 4 comments · May be fixed by #5741
Open

Permission with empty HTTP path matches all routes #5739

anxgstadler opened this issue Mar 20, 2023 · 4 comments · May be fixed by #5741

Comments

@anxgstadler
Copy link

I have a permission that is not restricted to any path. It merely exists so I can check in the code at different places if a user has this permission or not. Therefore, I have left the field "HTTP path" empty.

The result is that every user who has this permission, also has access to every other path - even things like /admin/auth/users or /admin/auth/roles!

It seems that an empty HTTP path always matches any given path.

This is at least a grave design error, if not a major security risk.
@anxgstadler anxgstadler changed the title Permission with empty HTTP path grants all permissions Permission with empty HTTP path matches all routes Mar 20, 2023
@axsweet
Copy link

axsweet commented Mar 21, 2023 via email

@anxgstadler
Copy link
Author

anxgstadler commented Mar 21, 2023
edited
Loading

I might not be experienced enough in Laravel to see how your reply solves my issue?

I'm talking solely about Laravel Admin itself. When you create a new permission, leave the HTTP path empty, and give the permission to a role that is otherwise farily restricted, users with this role then get access to each and ever page.

@alexoleynik0 alexoleynik0 linked a pull request Mar 22, 2023 that will close this issue
Open
@alexoleynik0
Copy link

Hi. I think you're right, that is weird behavior, especially as it's not marked nor explained anywhere in the docs or in the code.
You can see in my PR that this was intended to be like that. Probably, custom Permissions - like ones you're using - were not considered to be in there.
I have almost no hope that it will be fixed or explained to us, so the only solutions I can recommend to you is to set HTTP Path to something like "/" (assuming it's commonly open route) or some "/fake-route" that does not exist.

@anxgstadler
Copy link
Author

Yes, I went with the "fake route" solution in the meantime.

Thanks for the PR! :-)

@alexoleynik0 alexoleynik0 linked a pull request Mar 22, 2023 that will close this issue
fix: empty http path and method in permission allows any route open; #5741
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: empty http path and method in permission allows any route open; alexoleynik0/laravel-admin
3 participants
@axsweet @alexoleynik0 @anxgstadler