Original issue -- #5739
I can't tell why this was designed like that, and the chances that after 6+ years it's safe to change it are not very high. Still, there's really no indication anywhere on the "Permission create" page that any Permission without http_path and http_method filled will give full access to any route and method.
It may be better to restrict empty values there (eg make http_path required) to prevent this.
Original issue -- #5739 I can't tell why this was designed like that, and the chances that after 6+ years it's safe to change it are not very high. Still, there's really no indication anywhere on the "Permission create" page that any Permission without
http_pathandhttp_methodfilled will give full access to any route and method. It may be better to restrict empty values there (eg makehttp_pathrequired) to prevent this.