z-song · alexoleynik0 · Mar 22, 2023 · Mar 22, 2023
diff --git a/src/Auth/Database/Permission.php b/src/Auth/Database/Permission.php
@@ -64,7 +64,7 @@ public function roles(): BelongsToMany
     public function shouldPassThrough(Request $request): bool
     {
         if (empty($this->http_method) && empty($this->http_path)) {
-            return true;
+            return false;
         }
 
         $method = $this->http_method;

diff --git a/tests/PermissionsTest.php b/tests/PermissionsTest.php
@@ -3,6 +3,7 @@
 use Encore\Admin\Auth\Database\Administrator;
 use Encore\Admin\Auth\Database\Permission;
 use Encore\Admin\Auth\Database\Role;
+use Illuminate\Http\Request;
 
 class PermissionsTest extends TestCase
 {
@@ -194,6 +195,21 @@ public function testPermissionThroughRole()
         $this->assertTrue(Administrator::find(2)->can('can-remove'));
     }
 
+    public function testPermissionWithoutHttpMethodAndHttpPath()
+    {
+        //  1.add a permission without http_path and http_method
+        $permission = Permission::create([
+            'slug'        => 'not-http-based-permission',
+            'name'        => 'Not http based permission',
+            'http_path'   => '',
+            'http_method' => [''],
+        ]);
+
+        // 2.check that this permissions does not pass through protected routes (as it is checked in the Permission middleware)
+        $request = Request::create('admin/auth/permissions');
+        $this->assertFalse($permission->shouldPassThrough($request));
+    }
+
     public function testEditPermission()
     {
         $this->visit('admin/auth/permissions/create')