bolt
Any URI starting with bolt.backend_url is treated as restricted
Bolt treats any URI starting with bolt.backend_url string as restricted, even if not immediately followed by a slash.
Details
| Question | Answer |
|---|---|
| Relevant Bolt Version | 5.1.24 |
| Install type | Composer install |
| PHP version | 8.2 |
Reproduction
Steps to reproduce
Log out from the backend if logged in. Assuming your bolt.backend_url (as defined in config/services.yaml) is the default /bolt, try accessing an URI like /bolts-and-nuts.
Expected result
You should be served /bolts-and-nuts resource if it exists, or 404 if it doesn't.
Actual result
You're redirected to /bolt/login.
Fix
Paths ending with bolt.backend_url in access_control definitions of config/packages/security.yaml should include trailing slashes, e.g.:
- { path: '^%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/(%app_locales%)%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }
This issue fix must be applied in the repository and in project repository.
The route '/bolt$' must be protected.
In an effort to keep our issue list manageable, we are marking this issue as stale because it has been 60 days without activity. If this issue is still relevant, please let us know by posting a quick comment so that it remains open.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This has actually been fixed in Bolt 6., dbeab8bde450ebf927902f071c52c164c7b66189.
