volto icon indicating copy to clipboard operation
volto copied to clipboard
verified publisher icon plone

creating document with id controlpanel opens controlpanel

Open arybakov05 opened this issue 5 months ago • 6 comments

Describe the bug When creating a page with id "controlpanel", the actual controlpanel is being returned, instead of the newly created page. Also, an attempt to view the contents of this page results in an empty page instead of the content browser.

To Reproduce

  1. Go to https://demo.plone.org/ and login as admin (or locally).
  2. Create a new page in the site root with id "controlpanel".
  3. Visit the newly created page.
  4. See controlpanel instead of new page

Expected behavior A new, empty page should appear, or the id "controlpanel" shouldn't be allowed/should be changed to "controlpanel-1".

Screenshots Image

Image

Software (please complete the following information):

  • OS: Ubuntu 24.04
  • Browser Chrome 138.0.7204.100
  • Volto Version 18.23.0
  • Plone Version 6.1.2
  • Plone REST API Version 9.15.1

Additional context This also works with search or sitemap. No one is likely to create those pages in the site root, but it is still very unexpected behavior.

arybakov05 avatar Jul 21 '25 11:07 arybakov05

Thanks for opening your first issue here! Your engagement is essential for open source projects, including Plone. :hugs:
If you haven't done so already, read Plone's Code of Conduct. Also please follow the issue template, as it helps both you and other community members contribute more effectively.
If your issue is a feature request, others may raise its prominence through feature voting.
Welcome to the Plone community! :tada:

boring-cyborg[bot] avatar Jul 21 '25 11:07 boring-cyborg[bot]

was able to reproduce!

rohnsha0 avatar Jul 21 '25 15:07 rohnsha0

Hi, I looked deeper into this issue and found the root cause.

Volto already treats some route IDs (like edit) as reserved, and when a user creates content with ID "edit", Volto automatically renames it to "edit-1" to avoid a route collision.

However, the reserved IDs:

  • controlpanel
  • search
  • sitemap

are not included in the same reserved-ID handling, so Volto does not auto-rename them to:

  • controlpanel-1
  • search-1
  • sitemap-1

Instead, Volto tries to render the internal route, which causes the unexpected behavior described in this issue.

This means these IDs behave inconsistently compared to other reserved IDs like "edit", which already becomes "edit-1" automatically.

I’m preparing a fix to add these missing reserved IDs to the logic so they are handled the same way as "edit" and other protected routes.

pratyush07-hub avatar Nov 29 '25 08:11 pratyush07-hub

Hey @plone/volto-team @rohnsha0 @arybakov05,

I’m trying to create content items in Volto with titles that could generate reserved slugs.

Here’s what I observed:

  • When I create a content item with a title that would slugify to edit, Volto handles it fine. It generates edit-1, edit-2, etc., without any issues.
  • However, when I try to create a content item that would slugify to controlpanel, it fails or blocks creation.

I have tried:

  • Custom slugify function to avoid reserved words.
  • Adding controlpanel to reserveIds.
  • Checking existing content slugs.

None of these approaches seem to resolve the issue for controlpanel.

Could you clarify:

  1. Why does edit work but controlpanel does not? Are there additional internal checks or hardcoded routes in Volto/Plone that block controlpanel specifically?
  2. What is the recommended way to allow content creation safely for reserved words like controlpanel, search, sitemap or contents?

pratyush07-hub avatar Nov 29 '25 10:11 pratyush07-hub

@pratyush07-hub The backend handles this. See https://github.com/plone/plone.restapi/issues/1613

wesleybl avatar Nov 29 '25 14:11 wesleybl

Ohk, then I’ll check other issues.

pratyush07-hub avatar Nov 29 '25 19:11 pratyush07-hub