Open
Description
Bolt treats any URI starting with bolt.backend_url
string as restricted, even if not immediately followed by a slash.
Details
Question | Answer |
---|---|
Relevant Bolt Version | 5.1.24 |
Install type | Composer install |
PHP version | 8.2 |
Reproduction
Steps to reproduce
Log out from the backend if logged in. Assuming your bolt.backend_url
(as defined in config/services.yaml
) is the default /bolt
, try accessing an URI like /bolts-and-nuts
.
Expected result
You should be served /bolts-and-nuts
resource if it exists, or 404 if it doesn't.
Actual result
You're redirected to /bolt/login
.
Fix
Paths ending with bolt.backend_url
in access_control
definitions of config/packages/security.yaml
should include trailing slashes, e.g.:
- { path: '^%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/(%app_locales%)%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }