[Bug] The menu is loaded on public pages and breaks loginflow #443

New issue

Open

opened 2025-09-23 17:32:40 +02:00 by come-nc · 0 comments

come-nc commented

2025-09-23 17:32:40 +02:00

Environment

Custom menu version: 5.1.1
Nextcloud version: 31.0.9
PHP version: 8.3
Web server (Nginx, Apache2): Apache
Web browser and version (Firefox 80, Google Chrome 74, etc): Firefox

Configuration

{
  ...
}

Steps to reproduce

Enable side_menu and external applications.
Try to login with a desktop client.

Observed Results

On the login page, the menu script is loaded and tries to load the external application icons.
This results in a request to the external controller to get the application icon.
Because this is not a public page this is not allowed with an ephemeral session and the session gets killed.

Expected Results

The menu should only load on authenticated pages.

More informations

I was surprised that the side_menu controller routes are public. Are there usecases for having the menu on public pages?
If not, it should listen to BeforeTemplateRenderedEvent and check getResponse()->getRenderAs() to skip the script on public and error pages.

### Environment * Custom menu version: 5.1.1 * Nextcloud version: 31.0.9 * PHP version: 8.3 * Web server (Nginx, Apache2): Apache * Web browser and version (Firefox 80, Google Chrome 74, etc): Firefox ### Configuration ``` { ... } ``` ### Steps to reproduce Enable `side_menu` and `external` applications. Try to login with a desktop client. ### Observed Results On the login page, the menu script is loaded and tries to load the external application icons. This results in a request to the external controller to get the application icon. Because this is not a public page this is not allowed with an ephemeral session and the session gets killed. ### Expected Results The menu should only load on authenticated pages. ### More informations I was surprised that the side_menu controller routes are public. Are there usecases for having the menu on public pages? If not, it should listen to BeforeTemplateRenderedEvent and check getResponse()->getRenderAs() to skip the script on public and error pages.