z-song / laravel-admin

Build a full-featured administrative interface in ten minutes
https://laravel-admin.org
MIT License
11.15k stars 2.82k forks source link

Permission with empty HTTP path matches all routes #5739

Open anxgstadler opened 1 year ago

anxgstadler commented 1 year ago

I have a permission that is not restricted to any path. It merely exists so I can check in the code at different places if a user has this permission or not. Therefore, I have left the field "HTTP path" empty.

The result is that every user who has this permission, also has access to every other path - even things like /admin/auth/users or /admin/auth/roles!

It seems that an empty HTTP path always matches any given path.

This is at least a grave design error, if not a major security risk.

axsweet commented 1 year ago

Use route groups.

On Mon, Mar 20, 2023 at 7:01 AM anxgstadler @.***> wrote:

I have a permission that is not restricted to any path. It merely exists so I can check in the code at different places if a user has this permission or not. Therefore, I have left the field "HTTP path" empty.

The result is that every user who has this permission, also has access to every other path - even things like /admin/auth/users or /admin/auth/roles!

It seems that an empty HTTP path always matches any given path.

This is at least a grave design error, if not a major security risk.

— Reply to this email directly, view it on GitHub https://github.com/z-song/laravel-admin/issues/5739, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALF5SJHUWPAITBWAC5D54X3W5A2JLANCNFSM6AAAAAAWA5ODTI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

anxgstadler commented 1 year ago

I might not be experienced enough in Laravel to see how your reply solves my issue?

I'm talking solely about Laravel Admin itself. When you create a new permission, leave the HTTP path empty, and give the permission to a role that is otherwise farily restricted, users with this role then get access to each and ever page.

alexoleynik0 commented 1 year ago

Hi. I think you're right, that is weird behavior, especially as it's not marked nor explained anywhere in the docs or in the code. You can see in my PR that this was intended to be like that. Probably, custom Permissions - like ones you're using - were not considered to be in there. I have almost no hope that it will be fixed or explained to us, so the only solutions I can recommend to you is to set HTTP Path to something like "/" (assuming it's commonly open route) or some "/fake-route" that does not exist.

anxgstadler commented 1 year ago

Yes, I went with the "fake route" solution in the meantime.

Thanks for the PR! :-)