Hello! I'm developing a tool according to the documentation over here https://nova.laravel.com/docs/4.0/customization/tools.html
I've just made the basic installation and added my tool like so:
public function tools()
{
return [
new Xlsimport
];
}
Additionally, I have added the next route to the api.php routes file:
Route::get('/upload', UploadController::class);
and when I'm trying to open it in the incognito mode, it's working! Why?
It only works as supposed if I add the tool this way:
public function tools()
{
return [
(new Xlsimport())->canSee(function ($request) {
return !is_null(Auth::user());
})
];
}
p.s. but in this scenario, there're problems with static resources of the tool (404 error)
Can somebody give me a clue how it actually works, please?
It seems that the routes defined in the api.php file are (still) not protected by default. I don't know why they have decided to do this and did not expect that behavior too.
I've created some pull requests like this one in the past to resolve this issue in some packages. Note that the author of that package has also created a Nova issue.
The simplest way to protect the routes would be to add the middleware to your ToolServiceProvider.
use Laravel\Nova\Http\Middleware\Authenticate;
use Your\Tool\Http\Middleware\Authorize;
Route::middleware(['nova', Authenticate::class, Authorize::class])
