Not found is being displayed within the admin panel styling for non authenticated users #8716
Comments
karlapsite
added
status: needs-triage
Choosing to evauate whether users exist in the db earlier allows payload to redirect users to a more appropriate view if the first admin user hasn't been created yet.
Choosing to evauate whether users exist in the db earlier allows payload to redirect users to a more appropriate view if the first admin user hasn't been created yet.
github-actions
bot
removed
the
status: needs-triage
|
@paulpopus I did end up fiddling with the order of operations in
|
|
Hey @karlapsite, So I actually reproduced your issue using the |
|
Thanks for the tip @akhrarovsaid! The specific issue with the dev credentials in my third point is a little nitty-gritty. I didn't have too much trouble commenting out the devUser to play around with the When using default credentials, I couldn't logout. manually navigating to When navigating to After some playing around, It would seem a change like the one I tinkered with could address both sides of this issue. Separately, my change appears to have awoken some sort of login redirection feature, but it does not appear to work as expected... which might be out-of-scope. I'm unsure if that should be addressed here and now, or if that would be a good candidate for a follow-up issue. |
|
Hey @karlapsite, Actually you're correct - the test folder has helper functions that triggers auto-login. Have a look below at the root of this functionality which seems to originate from Auto login predicate in buildConfigWithDefaults I hope this may help you with your proposed changes and tests. Cheers! |
paulpopus
changed the title
|
Hey all, thanks for all the investigations here, I wouldnt touch the default login and such. The issue here is actually just that the notFound page is visible within the layout of the admin panel if you are not authenticated. It's not isolated to the create first user flow, so I updated the title |
|
Yep... not trying to change default login... it just gave me a little trouble when debugging both cases. I'm still curious if reordering redirection and notFound would address the issue. |
|
Thanks guys for the report here, went down a rabbithole with more functionality around this tested. This will be fixed in #8820 Non authorised users should be redirected to /login as per v2 behaviour in this situation. |
…ith notFound page (#8820) This PR aims to fix a few issues with the notFound page and custom views so it matches v2 behaviour: - Non authorised users should always be redirected to the login page regardless if not found or valid URL - Previously notFound would render for non users too potentially exposing valid but protected routes and creating a confusing workflow as the UI was being rendered as well - Custom views are now public by default - in our `admin` test suite, the `/admin/public-custom-view` is accessible to non users but `/admin/public-custom-view/protected-nested-view` is not unless the checkbox is true in the Settings global, there's e2e coverage for this - Fixes #8716
|
🚀 This is included in version v3.0.0-beta.121 |
|
This issue has been automatically locked. |
Link to reproduction
https://github.com/karlapsite/payload/tree/fix/create-user-redirection-issue-reproduction
diff
Environment Info
Should be latest n' greatest:
Payload: v3.0.0-beta.114
Node.js: 22.6.0
Next.js: 15.0.0-canary.17
Describe the Bug
I'm playing around with the blank and website templates with a coworker. We're a little confused why navigating in browser to
/admin/foobardoesn't forward us to/admin/create-first-userlike it does in other cases... I haven't created my first account yet... it seems a little weird to be able to peek at the public collections (or render any semblance of the admin portal at all yet) Clicking on anything does redirect me to/admin/create-first-userIs this intentional behavior?
If we don't want users to peak the unauthed admin page... is there an easy way to modify the admin not-found template to redirect us somehow? or is there a cleaner place to catch/forward this case?
A similar issue seems to exist after the first account has been created... my expectation was to see the admin portal redirect the user to the login component and prevent them from seeing the admin portal/sidebar.
To my knowledge this isn't a security issue, as the user can only see the names of collections that are public read. Authorized collections won't appear in the sidebar... So this is only disorienting at best
Reproduction Steps
devUserin the _community template./admin/foobarAdapters and Plugins
No response
The text was updated successfully, but these errors were encountered: