From 9804c2c3df5de7ac68a203b65de8d9eaaa1b76d1 Mon Sep 17 00:00:00 2001
From: Alex Oleynik <oleynik.webdev@gmail.com>
Date: Wed, 22 Mar 2023 03:01:32 +0200
Subject: [PATCH 1/2] fix: empty http path and method in permission allows any
 route, with test case;

---
 src/Auth/Database/Permission.php |  2 +-
 tests/PermissionsTest.php        | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/Auth/Database/Permission.php b/src/Auth/Database/Permission.php
index e22ad41a29..3d8bb65848 100644
--- a/src/Auth/Database/Permission.php
+++ b/src/Auth/Database/Permission.php
@@ -64,7 +64,7 @@ public function roles(): BelongsToMany
     public function shouldPassThrough(Request $request): bool
     {
         if (empty($this->http_method) && empty($this->http_path)) {
-            return true;
+            return false;
         }
 
         $method = $this->http_method;
diff --git a/tests/PermissionsTest.php b/tests/PermissionsTest.php
index 2e7235ff06..247f6874d3 100644
--- a/tests/PermissionsTest.php
+++ b/tests/PermissionsTest.php
@@ -3,6 +3,7 @@
 use Encore\Admin\Auth\Database\Administrator;
 use Encore\Admin\Auth\Database\Permission;
 use Encore\Admin\Auth\Database\Role;
+use Illuminate\Http\Request;
 
 class PermissionsTest extends TestCase
 {
@@ -194,6 +195,21 @@ public function testPermissionThroughRole()
         $this->assertTrue(Administrator::find(2)->can('can-remove'));
     }
 
+    public function testPermissionWithoutHttpMethodAndHttpPath()
+    {
+        //  1.add a permission without http_path and http_method
+        $permission = Permission::create([
+            'slug' => 'not-http-based-permission',
+            'name' => 'Not http based permission',
+            'http_path' => '',
+            'http_method' => [''],
+        ]);
+
+        // 2.check that this permissions does not pass through protected routes (as it is checked in the Permission middleware)
+        $request = Request::create('admin/auth/permissions');
+        $this->assertFalse($permission->shouldPassThrough($request));
+    }
+
     public function testEditPermission()
     {
         $this->visit('admin/auth/permissions/create')

From 59e4176753cb26aab45ebd3f4e3a501c57e771f8 Mon Sep 17 00:00:00 2001
From: Alex Oleynik <oleynik.webdev@gmail.com>
Date: Wed, 22 Mar 2023 03:13:54 +0200
Subject: [PATCH 2/2] chore: StyleCI fix;

---
 tests/PermissionsTest.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/PermissionsTest.php b/tests/PermissionsTest.php
index 247f6874d3..cef47f0723 100644
--- a/tests/PermissionsTest.php
+++ b/tests/PermissionsTest.php
@@ -199,9 +199,9 @@ public function testPermissionWithoutHttpMethodAndHttpPath()
     {
         //  1.add a permission without http_path and http_method
         $permission = Permission::create([
-            'slug' => 'not-http-based-permission',
-            'name' => 'Not http based permission',
-            'http_path' => '',
+            'slug'        => 'not-http-based-permission',
+            'name'        => 'Not http based permission',
+            'http_path'   => '',
             'http_method' => [''],
         ]);