fix: Only redirect to valid URLs after Panel login

src/Panel/Home.php

@@ -118,13 +118,21 @@ public static function hasAccess(User $user, string $path): bool
 					return false;
 				}
 
-				// if auth is not required the redirect is allowed
-				if ($auth === false) {
-					return true;
+				// check the firewall, if auth is required
+				if (
+					$auth !== false &&
+					Panel::hasAccess($user, $areaId) === false
+				) {
+					return false;
 				}
 
-				// check the firewall
-				return Panel::hasAccess($user, $areaId);
+				// check if the route yields a valid result
+				$result = $route->action()->call(
+					$route,
+					...$route->arguments()
+				);
+
+				return $result !== false;
 			});
 		} catch (Throwable) {
 			return false;

tests/Panel/HomeTest.php

@@ -179,6 +179,11 @@ public function testHasAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'admin']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
@@ -220,6 +225,11 @@ public function testHasAccessWithLimitedAccess(): void
 			],
 			'users' => [
 				['email' => 'test@getkirby.com', 'role' => 'editor']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
 			]
 		]);
 
@@ -231,6 +241,28 @@ public function testHasAccessWithLimitedAccess(): void
 		$this->assertTrue(Home::hasAccess($user, 'account'));
 	}
 
+	public function testHasAccessWithInvalidPath(): void
+	{
+		$this->app = $this->app->clone([
+			'site' => [
+				'children' => [
+					['slug' => 'test']
+				]
+			],
+			'users' => [
+				['email' => 'test@getkirby.com', 'role' => 'admin']
+			],
+			'options' => [
+				'api' => [
+					'allowImpersonation' => true
+				]
+			]
+		]);
+
+		$user = $this->app->impersonate('test@getkirby.com');
+		$this->assertFalse(Home::hasAccess($user, 'pages/foo+bar'));
+	}
+
 	public function testHasValidDomain(): void
 	{
 		$uri = Uri::current();