Comments (3)
bezhanSalleh
commented on June 1, 2024
1
Hello,
I have configure a new role without "Role" permission and if i'm log in the account which don't have role permission i view the page and if i edit role and i'm delete "disabled" variable with source i can edit the role.
Screenshots:
Role (super admin account):
Role page (new account without permission):
Edit role (new account without permission):
seems like you haven't configured it properly
register_role_policy' => [ 'enabled' => false ]
set it to true to enforce the Role Policy
from filament-shield.
khanakia
commented on June 1, 2024
@bezhanSalleh There is one more big security bug. If i copy any request as CURL from Developer Tools and then update the token and send a request using Postman for the other user i can update, and delete any record so no policy is enforced.
from filament-shield.
bezhanSalleh
commented on June 1, 2024
@bezhanSalleh There is one more big security bug. If i copy any request as CURL from Developer Tools and then update the token and send a request using Postman for the other user i can update, and delete any record so no policy is enforced.
don't really know what kinda magic are ya trying to achieve here, but shield only generates stuff for filament and the policies only get enforced if it follows the policy guidelines as laravel has set forth. other than that you would need to register them in the AuthServiceProvider...
from filament-shield.
Related Issues (20)
- Error on composer update HOT 2
- How to transfer RoleResource.php in Clusters? HOT 5
- Install is not finding relations HOT 7
- Role CRUD accessibility is bypassed HOT 3
- Documentation Update for Laravel 11 - Custom folder structure for Models or Third-Party Plugins HOT 1
- Role Resource is accessible for everyone HOT 7
- Svg by name "filament-shield::filament-shield.nav.role.icon" from set "default" not found. HOT 1
- Model with two words has unexpected permission name HOT 1
- Error when editing / creating roles
- super_admin role generation
- Role Resource is accessible for everyone HOT 4
- Edit Role doesn't populate role name HOT 1
- cannot create or edit role HOT 1
- Error expect string but object given when editing role HOT 1
- When using github action to test, the project trait HasPanelShield try to assign role to user in step of php artisan key:generate HOT 1
- Generating all policies for a specific panel HOT 2
- Support Multitenancy HOT 2
- Error when creating/editing role HOT 1
- Error on create_permissions_table migration HOT 1
- 3rd party pages workaround suggestion
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from filament-shield.