Disable "Details" GET/HEAD Request

[mariovillani]

At the moment, it is impossible to disable the GET|HEAD endpoint for the getDetailsRow functionality.
Even if someone is not using getDetails in the CRUDController, the route is loaded in any case.

When the ListTrait is loaded, no checks are done if the getDetailsRow has been enabled or not for the current CRUDController. I've highlighted where the check should be done (the comment written in uppercase):

// backpack/crud/src/app/Http/Controllers/Operations/ListOperation.php
trait ListOperation
{
    /**
     * Define which routes are needed for this operation.
     *
     * @param  string  $segment  Name of the current entity (singular). Used as first URL segment.
     * @param  string  $routeName  Prefix of the route name.
     * @param  string  $controller  Name of the current CrudController.
     */
    protected function setupListRoutes($segment, $routeName, $controller)
    {
        Route::get($segment.'/', [
            'as'        => $routeName.'.index',
            'uses'      => $controller.'@index',
            'operation' => 'list',
        ]);

        Route::post($segment.'/search', [
            'as'        => $routeName.'.search',
            'uses'      => $controller.'@search',
            'operation' => 'list',
        ]);

        // !!!! MISSING CHECKS TO PREVENT REGISTERING THE SHOWDETAILS ROUTE !!!!
        Route::get($segment.'/{id}/details', [
            'as'        => $routeName.'.showDetailsRow',
            'uses'      => $controller.'@showDetailsRow',
            'operation' => 'list',
        ]);
    }
}

A possibile fix (in my opinion the cleanest one) would be creating a new Operation which is only for the getDetails functionality, separating the business logic.

Thank you in advance!

[karandatwani92]

Hey @pxpm I tested this and @mariovillani is right about this.

Endpoints (URL) are always open!🚨

https://backpackforlaravel.com/docs/6.x/crud-api#details-row

$this->crud->disableDetailsRow(); // hides it from UI only

// I doubt the following are working.
$this->crud->allowAccess('details_row');
$this->crud->denyAccess('details_row');

[karandatwani92]

Hey @mariovillani I have escalated the issue here Laravel-Backpack/CRUD#5395

We will try to come up with the appropriate resolution soon. Thanks for reporting!

[mariovillani]

Thanks. Glad to help, thanks for confirming!

[pxpm]

Thanks @mariovillani . I totally agree with you, and also including @karandatwani92 observations about the allowAccess.

DetailsRow should probably be their own operation, and also have a little bit more flexibility in terms of permissions (you may want to show details rows of active entries, and no details row on inactive ones).

I've written a little bit more detailed answer in the PR thread Laravel-Backpack/CRUD#5397

I will be closing this so that we keep any conversation regarding to this in the PR thread.

Thanks again 🙏

[pxpm]

It's merged and tagged in CRUD 6.4.1 🙏 Updated docs here: https://backpackforlaravel.com/docs/6.x/crud-operation-list-entries#details-row-1

Thanks @mariovillani and @karandatwani92 👍