Navigation items editable without appropriate permissions

[klickreflex]

Bug description

I'm trying to prevent a user role from editing the navigation, but it seems removing the associated permissions from the role only hides links from the CP. When the name of the navigation is known it still can be accessed by visiting the URL /cp/navigation/<name>.

How to reproduce

• have a nav called main
• have a user role editor
• make sure editor does not have 'view main nav' and 'edit main nav' in roles.yaml
• log in as a user with role editor
• navigate to /cp/navigation/main
• you're able to view and edit the main nav

Logs

No response

Environment

Statamic 3.3.34 Pro
Laravel 9.11.0
PHP 8.1.10
doublethreedigital/duplicator 2.3.2

Installation

Starter Kit using via CLI

Antlers Parser

runtime (new)

Additional details

Here's my roles.yaml

editor:
  title: Editor
  permissions:
    - 'access cp'
    - 'view pages entries'
    - 'edit pages entries'
    - 'create pages entries'
    - 'delete pages entries'
    - 'publish pages entries'
    - 'reorder pages entries'
    - 'edit other authors pages entries'
    - 'publish other authors pages entries'
    - 'delete other authors pages entries'
    - 'edit social_media globals'
    - 'view assets assets'
    - 'upload assets assets'
    - 'edit assets assets'
    - 'move assets assets'
    - 'rename assets assets'
    - 'delete assets assets'
    - 'view users'
    - 'edit users'
    - 'delete users'
    - 'change passwords'
    - 'view contact form submissions'
    - 'delete contact form submissions'
    - 'view projects entries'
    - 'edit projects entries'
    - 'create projects entries'
    - 'delete projects entries'
    - 'publish projects entries'
    - 'reorder projects entries'
    - 'edit other authors projects entries'
    - 'publish other authors projects entries'
    - 'delete other authors projects entries'
    - 'view services entries'
    - 'edit services entries'
    - 'create services entries'
    - 'delete services entries'
    - 'publish services entries'
    - 'reorder services entries'
    - 'edit other authors services entries'
    - 'publish other authors services entries'
    - 'delete other authors services entries'
    - 'view team entries'
    - 'edit team entries'
    - 'create team entries'
    - 'delete team entries'
    - 'publish team entries'
    - 'reorder team entries'
    - 'edit other authors team entries'
    - 'publish other authors team entries'
    - 'delete other authors team entries'
marketeer:
  title: Marketeer
  permissions:
    - 'access cp'
    - 'edit redirects globals'
    - 'edit seo globals'

And this is how my test user looks like:

name: 'Daniel Wentsch'
roles:
  - editor
id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
password_hash: xxxxxxxxxxxxxxxxxxxx