Some controlpanels are accessible via direct link for unauthorized users

[avoinea]

See:

• https://volto.kitconcept.com/controlpanel/addons
• https://volto.kitconcept.com/controlpanel/users
• https://volto.kitconcept.com/controlpanel/moderate-comments
• https://volto.kitconcept.com/controlpanel/database

We should handle backend errors on all controlpanels using the Error component: https://github.com/plone/volto/blob/d07c17c91274292a1fcca3d9d15b51af4d0da385/src/components/manage/Controlpanels/Controlpanels.jsx#L125-L128

[ichim-david]

I've tackled Addons in https://github.com/plone/volto/commit/cab089b74ba839551d1383bde7048e11e9d5923e I am not 100% happy with how this acts as when calling listAddons there is a delay until you get the call to rest api which gives an error in case you are anonymous and then you get the unauthorized code.

This means that you get Addons 0 briefly followed by the correct message. I would have preferred not to render anything until communicating with the rest api but perhaps this will be acceptable in the end as other control panels were given error messages similary.

[mikejmets]

I had a go at Database, Users and ModetateComments in 08dd6f24835a36c68c1e84118d5ea83788f1c5d4 and db43ccb697fc8c476c0da4a9a8bcd1b4c28aa3a2. I used the listControlpanels action to determine if the user had sufficient permissions in all three use cases. Is there a better way?

[avimishra18]

Hi @avoinea, is this issue still open? If yes, I would like to contribute to this. If I understood this correctly, visiting these URLs without signing should behave like https://volto.kitconcept.com/controlpanel/users, which seems to be fixed. Although it does render Users' view on initial load.

But these URLs still show some views:

1. https://volto.kitconcept.com/controlpanel/addons
2. https://volto.kitconcept.com/controlpanel/moderate-comments
3. https://volto.kitconcept.com/controlpanel/database

Expected Behaviour

[avoinea]

@avimishra18 Yes, everything under /controlpanel should raise Unauthorized if not authenticated.

[avimishra18]

Hi @avoinea, for https://volto.kitconcept.com/controlpanel/moderate-comments error scenario is not ocurring. It is a successful request with an "empty" response. This appears to be a backend-related issue. Correct me, if I am wrong.

Redux

Network Tab

No request with 401 HTTP response code found.

[avoinea]

Hi @avoinea, for https://volto.kitconcept.com/controlpanel/moderate-comments error scenario is not ocurring. It is a successful request with an "empty" response. This appears to be a backend-related issue. Correct me, if I am wrong.

@avimishra18 Indeed, this one is a backend issue.

[Yug063]

@avimishra18 Hi, is there any update on your linked PR, i saw there's some suggestions from core devs so are you still working on this and if not I would like to contribute to this :) thanks!

[avimishra18]

Please go ahead.

[Yug063]

@avimishra18 thanks for the quick response, but if you got time can you update me till where u have been worked on this and is there any problem you faced?