TryGhost/Ghost

Editor opening staff settings/profile triggers forbidden API calls and unrelated permission toast

Open

#26.607 aberto em 26 de fev. de 2026

Ver no GitHub
 (5 comments) (1 reaction) (0 assignees)JavaScript (11.551 forks)batch import
buggood first issue

Métricas do repositório

Stars
 (52.799 stars)
Métricas de merge de PR
 (Mesclagem média 19d 11h) (658 fundiu PRs em 30d)

Description

Issue Summary

We encountered a problem where our editors and authors cannot use the Ghost admin panel properly. I deployed the latest copy of Ghost locally and see that the problem also persists. When logged in as an Editor, opening the staff settings route and viewing an editor profile triggers admin API calls that require higher permissions.
This results in noisy 403 errors and an unrelated toast:

"You do not have permission to browse members"

The interface also becomes unresponsive (clicks on other items in the sidebar do not work). The same applies to other roles other than administrator, author, and contributor.

I recorded a video demonstrating this problem:

https://github.com/user-attachments/assets/467e037a-6406-4059-9651-622f4f06062c

Steps to Reproduce

  1. Create a Ghost site (tested on local install).
  2. Have at least 2 users:
    • Owner/Admin
    • Editor
  3. Log in as Editor.
  4. Open http://localhost:2369/ghost/#/settings/staff?tab=editors (or #/settings/staff).
  5. Try clicking something in the sidebar; it is not clickable.

Ghost Version

6.19.2

Node.js Version

22.18.0

How did you install Ghost?

Ghost Locally, macOS 26.3, Google Chrome 145.0.7632.117

Database type

SQLite3

Browser & OS version

macOS 26.3, Google Chrome 145.0.7632.117

Relevant log / error output

[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/members/?limit=1" 403 70ms

NAME: NoPermissionError
MESSAGE: You do not have permission to browse members

level: normal

NoPermissionError: You do not have permission to browse members
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/identities/" 403 124ms

NAME: NoPermissionError
MESSAGE: You do not have permission to read identities

level: normal

NoPermissionError: You do not have permission to read identities
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/members/?limit=1" 403 119ms

NAME: NoPermissionError
MESSAGE: You do not have permission to browse members

level: normal

NoPermissionError: You do not have permission to browse members
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/identities/" 403 98ms

NAME: NoPermissionError
MESSAGE: You do not have permission to read identities

level: normal

NoPermissionError: You do not have permission to read identities
    at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
    at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
    at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
    at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
    at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
    at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)

Code of Conduct

  • I agree to be friendly and polite to people in this repository

Guia do colaborador