route is registered out of nova

[yurii-github]

you do not check if current app is nova or not, you always register routes like
nova-vendor/KABBOUCHI/logs-tool/log

you must use checks like nova:serving() etc

regards

[mstaack]

yeah this also adds a security risk! b/c routes are public.... and download of logs is possible without any auth!

[KABBOUCHI]

@mstaack routes is under nova middleware what risks you are talking about?

nova-logs-tool/src/LogsToolServiceProvider.php

Lines 45 to 47 in 7b59c49

	Route::middleware(['nova', Authorize::class])
	->prefix('nova-vendor/KABBOUCHI/logs-tool')
	->group(__DIR__.'/../routes/api.php');

[mstaack]

i did a quick test and it seemed like downloading files is possible without nova login

[mstaack]

ok just did this again, sry for the misleading info. seems to work once canDownload() is used on the tool

[KABBOUCHI]

Yeah you should not use true, you should check the user permission.

I'll modify the README file to prevent confusions

[mstaack]

Yeah makes sense! Thanks for the readme updates.