Skip to content

Custom control panel navigation shows collections for which there are no permissions #11925

Closed
#11930
Closed
Custom control panel navigation shows collections for which there are no permissions#11925
#11930
Assignees
jesseleite
Labels
permissions
@lakkes-ra

Description

@lakkes-ra
lakkes-ra
opened on Jul 4, 2025

Bug description

The custom CP nav show's collections for which the user hasn't got permission. It only hides them, when navigating to a permitted collection (*sometimes).

So for example:
I have a fresh Statamic install (installed with statamic new, no starter pack, flat file) and created some collections: Ingredients, Recipes, Markets, Pages and Regions. Then I created a custom CP nav like that:

Image

I created the user maggie.markets@test.de with a role that allows viewing the collection Markets. When I log in with maggie.markets and get to the dashboard, I see this:

Image

When I want to navigate to Recipes for example – a collection for which maggie has no permssion – I get an error toast:

Image

When I navigate to Markets, all other Collections will get hidden from the CP nav. (The expected behavior, but they should be hidden from the beginning.)

Image

I also have another user, reginald.recipe, who has permissions for recipes and assets. Interestingly I get shown all collections always, regardless to which one I navigate. I also see all collections when navigation to the assets.

We saw this behaviour in a customer project. We thought we could just hide the dashboard, but since all nav items get shown, when navigating to the asset browser, we can't use this workaround.

In summary: I expect, that the user should only see the collections they have permission for in the CP navigation.

How to reproduce

  • Install a fresh statamic
  • Create some collections
  • Create a custom cp nav
  • Create some roles for certain collections
  • Create some users with certain rules
  • Log in with these users and click through collections in the nav

Logs



Environment


Environment
Application Name: Statamic
Laravel Version: 12.19.3
PHP Version: 8.3.13
Composer Version: 2.8.4
Environment: local
Debug Mode: ENABLED
URL: roles-nav-test.test
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: sqlite
Logs: stack / single
Mail: log
Queue: sync
Session: file

Storage
public/storage: NOT LINKED

Statamic
Addons: 0
Sites: 1
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 5.58.1 PRO


Installation


Fresh statamic/statamic site via CLI


Additional details


No response
Metadata
Metadata
Assignees
Labels
permissions
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions