From 12268980924ec0404acf04b026a46e66a2077208 Mon Sep 17 00:00:00 2001
From: Nico Hoffmann <me@nhoffmann.com>
Date: Thu, 7 Aug 2025 15:03:03 +0200
Subject: [PATCH] fix: Only redirect to valid URLs after Panel login

Fixes #6682
---
 src/Panel/Home.php       | 18 +++++++++++++-----
 tests/Panel/HomeTest.php | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/src/Panel/Home.php b/src/Panel/Home.php
index cac3ad230b..a378b574c9 100644
--- a/src/Panel/Home.php
+++ b/src/Panel/Home.php
@@ -118,13 +118,21 @@ public static function hasAccess(User $user, string $path): bool
 					return false;
 				}
 
-				// if auth is not required the redirect is allowed
-				if ($auth === false) {
-					return true;
+				// check the firewall, if auth is required
+				if (
+					$auth !== false &&
+					Panel::hasAccess($user, $areaId) === false
+				) {
+					return false;
 				}
 
-				// check the firewall
-				return Panel::hasAccess($user, $areaId);
+				// check if the route yields a valid result
+				$result = $route->action()->call(
+					$route,
+					...$route->arguments()
+				);
+
+				return $result !== false;
 			});
 		} catch (Throwable) {
 			return false;
diff --git a/tests/Panel/HomeTest.php b/tests/Panel/HomeTest.php
index af7f2952aa..b4e523a356 100644
--- a/tests/Panel/HomeTest.php
+++ b/tests/Panel/HomeTest.php
@@ -179,6 +179,11 @@ public function testHasAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'admin']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
@@ -220,6 +225,11 @@ public function testHasAccessWithLimitedAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'editor']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
@@ -231,6 +241,28 @@ public function testHasAccessWithLimitedAccess(): void
 		$this->assertTrue(Home::hasAccess($user, 'account'));
 	}
 
+	public function testHasAccessWithInvalidPath(): void
+	{
+		$this->app = $this->app->clone([
+			'site' => [
+				'children' => [
+					['slug' => 'test']
+				]
+			],
+			'users' => [
+				['email' => 'test@getkirby.com', 'role' => 'admin']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
+			]
+		]);
+
+		$user = $this->app->impersonate('test@getkirby.com');
+		$this->assertFalse(Home::hasAccess($user, 'pages/foo+bar'));
+	}
+
 	public function testHasValidDomain(): void
 	{
 		$uri = Uri::current();