Endpoints available for normal members

Endpoints available for normal members

Laraship QuestionsCategory: TechnicalEndpoints available for normal members
Stefan Warmerdam asked 3 weeks ago

The following endpoints are available for normal members, even if (if possible) the access is restricted from the role settings:

/cms/active-users
/transactions

This maybe bug or work as it should?

1 Answers
laraship Staff answered 3 weeks ago

Hello,
Do you mean the endpoints for the dashboard widgets?

Stefan Warmerdam replied 3 weeks ago

I mean that when I go to those url’s as a member (not superuser) I am able to see this information, shouldnt this be restricted to superuser or a user with access only?

Could be made as intented, not sure what your intention is.

laraship Staff replied 3 weeks ago

Got it, we will add permissions to these URLs in our next release

Stefan Warmerdam replied 1 week ago

reopening, found one more:

/subscriptions/subscriptions/create (this page works, submission is not, but page should also not work for members that have no access)

/subscriptions/products (this page works, shouldnt work)

I suggest you take a look at all the subscriptions endpoints, there are more leaks in it.

 

 

you can test by visiting this endpoints with a user inside a role that has no permission to it.