Description
While testing admin workflows, I noticed that a user authenticated with a regular customer account is still able to access and navigate through admin routes.
Although backend authorization correctly prevents restricted operations, the admin interface itself is rendered and remains accessible until an admin-only action triggers a protected API request.
Current Behavior
A customer account can access pages intended for administrative users, including areas such as:
- Dashboard
- Orders
- Menu Management
- Store Management
The admin UI loads successfully and can be navigated normally.
However, when the user attempts an admin only action (for example creating menus, branches, or other management operations), the backend responds with a 403 Forbidden error and the user is eventually redirected to the login page.
Observed Impact
This creates an inconsistent authorization experience where:
- Non-admin users can view and interact with administrative interfaces.
- Access is only denied after an API request is made.
- The user is redirected only after backend authorization fails.
As a result, users are able to reach protected admin pages even though they do not have the required permissions to perform administrative operations.
Steps to Reproduce
- Sign in using a customer account.
- Navigate to an admin route (e.g. Dashboard, Orders, Menus, Store Management).
- Observe that the admin interface loads successfully.
- Attempt an admin only action.
- Observe that the backend returns a
403 Forbidden response and the user is redirected.
Expected Behavior
Users without the required administrative role should not be able to access protected admin routes.
Attempting to access /admin/* routes with a non admin account should immediately:
- Redirect the user to an appropriate page, or
- Display an unauthorized access view,
without rendering the admin interface.
Additional Context
While investigating this behavior, I observed that backend authorization is functioning correctly and returns 403 Forbidden responses for restricted operations.
The issue appears to be that route level protection allows authenticated users to access admin pages before role based authorization is enforced.
Screenshot attached showing a customer account successfully accessing the admin dashboard.
Description
While testing admin workflows, I noticed that a user authenticated with a regular customer account is still able to access and navigate through admin routes.
Although backend authorization correctly prevents restricted operations, the admin interface itself is rendered and remains accessible until an admin-only action triggers a protected API request.
Current Behavior
A customer account can access pages intended for administrative users, including areas such as:
The admin UI loads successfully and can be navigated normally.
However, when the user attempts an admin only action (for example creating menus, branches, or other management operations), the backend responds with a
403 Forbiddenerror and the user is eventually redirected to the login page.Observed Impact
This creates an inconsistent authorization experience where:
As a result, users are able to reach protected admin pages even though they do not have the required permissions to perform administrative operations.
Steps to Reproduce
403 Forbiddenresponse and the user is redirected.Expected Behavior
Users without the required administrative role should not be able to access protected admin routes.
Attempting to access
/admin/*routes with a non admin account should immediately:without rendering the admin interface.
Additional Context
While investigating this behavior, I observed that backend authorization is functioning correctly and returns
403 Forbiddenresponses for restricted operations.The issue appears to be that route level protection allows authenticated users to access admin pages before role based authorization is enforced.
Screenshot attached showing a customer account successfully accessing the admin dashboard.