Menu item with dynamic route showed to user restricted by policies

almakano commented 3 years ago

Laravel version

7.30.4

PHP version

7.4.3

Voyager version

1.x-dev#110229618c035600fc55c2104bd629701d96c283

Database

Mysql 8.0.25

Description

Menu item with dynamic route "voyager.partners.manager_efficiency" is showed to user, which is restricted by policies

Steps to reproduce

User joined to role "Content"
Manually added permission "browse_partners_manager_efficiency" for admin role
Role "Content" has excluded any permissions of Controller "Partner"
in routes/web.php added named route "voyager.partners.manager_efficiency" to PartnerController@manager_efficiency
Added new menu item "Manager Efficiency" with dynamic route to "voyager.partners.manager_efficiency"

Expected behavior

tcg/voyager/src/Policies/MenuItemPolicy.php:33 $slug shoud parse full route of menu item and not only $model->link(true)

Screenshots

No response

Additional context

No response

almakano commented 3 years ago

I discovered, that $model->link(true) returns route($menu_item->route), which equal to "/admin/partners/manager_efficiency"
replacing "/admin" and "/" from the $slug, it equal to "partnersmanager_efficiency", which is absent in Voyager::model('DataTypes')
Also if $action.'_'.$slug (which is 'browse_partnersmanager_efficiency") is absent in Voyager::model('Permission') function checkPermission at tcg/voyager/src/Policies/MenuItemPolicy.php:51 returns true;

That is how I spent 2 days, discovering the required policy name to be "browse_partnersmanager_efficiency". Also, I discovered, that if route link has "-" in it, it should also be in policy name, like "browse_partners-statmanager_efficiency"

github-actions[bot] commented 1 year ago

This issue has been automatically locked since there has not been any recent activity after it was closed. If you have further questions please ask in our Slack group.

thedevdojo / voyager