fix: Only redirect to valid URLs after Panel login

distantnative · distantnative · commit ba6a2494fe94 · 2025-08-07T15:05:12.000+02:00
Fixes #6682
diff --git a/src/Panel/Home.php b/src/Panel/Home.php
@@ -118,13 +118,21 @@ public static function hasAccess(User $user, string $path): bool
 					return false;
 				}
 
-				// if auth is not required the redirect is allowed
-				if ($auth === false) {
-					return true;
+				// check the firewall, if auth is required
+				if (
+					$auth !== false &&
+					Panel::hasAccess($user, $areaId) === false
+				) {
+					return false;
 				}
 
-				// check the firewall
-				return Panel::hasAccess($user, $areaId);
+				// check if the route yields a valid result
+				$result = $route->action()->call(
+					$route,
+					...$route->arguments()
+				);
+
+				return $result !== false;
 			});
 		} catch (Throwable) {
 			return false;
diff --git a/tests/Panel/HomeTest.php b/tests/Panel/HomeTest.php
@@ -179,6 +179,11 @@ public function testHasAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'admin']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
@@ -220,6 +225,11 @@ public function testHasAccessWithLimitedAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'editor']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
