Route checked even if middleware isn't passed

[LocalHeroPro]

• Laravel Version: 9.28.0
• PHP Version: 8.1.9
• Database Driver & Version:

Description:

Route is behind two middlewares and is POST. When try to GET route, without auth, route is reached even if production env is set enven behing policy. So we have braked three "firewalls" rules.

I think, if middlwares aren't passed and even policy, so we CAN'T reach route, behind those "firewalls".

Steps To Reproduce:

route

Route::middleware(['customOne', 'verified'])->group(function () {
    Route::get('custom-route', [AwesomeController::class, 'index'])->name('index')->middleware('can:viewAny,' . User::class);
});

In browser URL: https://example.com/costom-route

[driesvints]

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

• Laracasts Forums
• Laravel.io Forums
• StackOverflow
• Discord
• Larachat
• IRC

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.

[LocalHeroPro]

It' security vulnerability. Closed faster as read.

[driesvints]

First of all, there isn't a vulnerability. Second, please don't post security vulnerabilities publicly and read our policy: https://github.com/laravel/framework/blob/9.x/.github/SECURITY.md