TryGhost/Ghost

Editor opening staff settings/profile triggers forbidden API calls and unrelated permission toast

Open

#26 607 ouverte le 26 févr. 2026

Voir sur GitHub
 (5 commentaires) (1 réaction) (0 assignés)JavaScript (11 551 forks)batch import
buggood first issue

Métriques du dépôt

Stars
 (52 799 stars)
Métriques de merge PR
 (Merge moyen 19j 11h) (658 PRs mergées en 30 j)

Description

Issue Summary

We encountered a problem where our editors and authors cannot use the Ghost admin panel properly. I deployed the latest copy of Ghost locally and see that the problem also persists. When logged in as an Editor, opening the staff settings route and viewing an editor profile triggers admin API calls that require higher permissions.
This results in noisy 403 errors and an unrelated toast:

"You do not have permission to browse members"

The interface also becomes unresponsive (clicks on other items in the sidebar do not work). The same applies to other roles other than administrator, author, and contributor.

I recorded a video demonstrating this problem:

https://github.com/user-attachments/assets/467e037a-6406-4059-9651-622f4f06062c

Steps to Reproduce

  1. Create a Ghost site (tested on local install).
  2. Have at least 2 users:
    • Owner/Admin
    • Editor
  3. Log in as Editor.
  4. Open http://localhost:2369/ghost/#/settings/staff?tab=editors (or #/settings/staff).
  5. Try clicking something in the sidebar; it is not clickable.

Ghost Version

6.19.2

Node.js Version

22.18.0

How did you install Ghost?

Ghost Locally, macOS 26.3, Google Chrome 145.0.7632.117

Database type

SQLite3

Browser & OS version

macOS 26.3, Google Chrome 145.0.7632.117

Relevant log / error output

[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/members/?limit=1" 403 70ms

NAME: NoPermissionError
MESSAGE: You do not have permission to browse members

level: normal

NoPermissionError: You do not have permission to browse members
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/identities/" 403 124ms

NAME: NoPermissionError
MESSAGE: You do not have permission to read identities

level: normal

NoPermissionError: You do not have permission to read identities
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/members/?limit=1" 403 119ms

NAME: NoPermissionError
MESSAGE: You do not have permission to browse members

level: normal

NoPermissionError: You do not have permission to browse members
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/identities/" 403 98ms

NAME: NoPermissionError
MESSAGE: You do not have permission to read identities

level: normal

NoPermissionError: You do not have permission to read identities
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

Code of Conduct

  • I agree to be friendly and polite to people in this repository

Guide contributeur