search

KABBOUCHI / nova-logs-tool

A Laravel Nova tool to manage and keep track of each one of your logs files.
MIT License
73 stars 17 forks source link

route is registered out of nova #9

Open yurii-github opened 5 years ago

yurii-github commented 5 years ago

you do not check if current app is nova or not, you always register routes like nova-vendor/KABBOUCHI/logs-tool/log

you must use checks like nova:serving() etc

regards

mstaack commented 4 years ago

yeah this also adds a security risk! b/c routes are public.... and download of logs is possible without any auth!

KABBOUCHI commented 4 years ago

@mstaack routes is under nova middleware what risks you are talking about?

https://github.com/KABBOUCHI/nova-logs-tool/blob/7b59c497bac69ac33a438fa654d5c1a9c465d148/src/LogsToolServiceProvider.php#L45-L47

mstaack commented 4 years ago

i did a quick test and it seemed like downloading files is possible without nova login

mstaack commented 4 years ago

ok just did this again, sry for the misleading info. seems to work once canDownload() is used on the tool

KABBOUCHI commented 4 years ago

Yeah you should not use true, you should check the user permission.

I'll modify the README file to prevent confusions

mstaack commented 4 years ago

Yeah makes sense! Thanks for the readme updates.