After this configuration, here are the actions that the user can do (but shouldn't ?):
![image](https://github.com/statamic/cms/assets/29105077/8e72ffc0-22a5-40fa-8f47-06ad98584e89)
- see the edit dropdown, even when it's empty
![image](https://github.com/statamic/cms/assets/29105077/4d0a442b-5913-4589-a51a-65008514ab71)
- see the "Add nav item" button and be able to add an item
- click on the nav item to edit it
- click on the 3 dots next to an item to remove it or add a child item to it
- reorder the items
- save the changes
### Logs
_No response_
### Environment
```yaml
Environment
Application Name: Statamic
Laravel Version: 10.11.0
URL: statamic-test.test
Maintenance Mode: OFF
Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED
Drivers
Broadcasting: log
Cache: statamic
Database: mysql
Logs: stack / single
Mail: smtp
Queue: sync
Session: file
Statamic
Addons: 0
Antlers: runtime
Stache Watcher: Enabled
Static Caching: Disabled
Version: 4.2.0 PRO
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
runtime (new)
Additional details
Tested on a brand new Statamic CLI installation but also on a 3.x website.
Yeah, I can confirm this bug too. Also, overriding the CP Nav settings for the user group don't apply to the user, if only it's linked to a user group. The user needs to have a role assigned to it too.
Bug description
Users are still able to remove/edit navigation items, even when the "edit navigation" permission has not been given to their role.
How to reproduce
Installation
Fresh statamic/statamic site via CLI
Antlers Parser
runtime (new)
Additional details
Tested on a brand new Statamic CLI installation but also on a 3.x website.