Logged in frontend user can't login as backend user

Sorry for the confusing title, I found it hard to put it into words :sweat_smile:

On a client’s website you can login as different frontend users to access various pages. I followed this cookbook article and it works perfectly fine.

But today my client logged in as a frontend user and after that tried to visit example.com/panel to login as a panel user. He got redirected to example.com without any message because this user role doesn’t have panel access.
You can’t reach the login this way, not even by visiting example.com/panel/login. Wouldn’t it be possible to still show the login form or so? Currently you have to logout and then visit the panel login form.

But this makes perfect sense, because you are in a given session. If I’m logged in as user A, I also cannot log in as user B in the same browser session. I have to either log out or create a new private window.

Yes, it makes sense. But why am I redirected to example.com? I think the login form or an error message would be more helpful, no?

Maybe create an issue on GitHub? I think the redirect to the home page happens in auth.js

  // no access? redirect to website
    if (access.panel === false) {
      window.location.href = config.site;
      return false;
    }

But imo, it doesn’t make sense to redirect to the login form, because the user cannot log in at this time. So the only alternative would be to go to the error page.

Hi everyone,

I agree with @thguenther, we should be able to redirect to a specific page where it is explained, that “frontend users cannot reach the panel”. I am having the same trouble for my current client and since they might have the case where they were logged in as a frontend user and then want to switch to an admin user (panel user) it would be nice to have a page mentioning this. i think not everyone will remember that they have to logout as a frontend user to log back in as an admin and, at least in my case, the home page has nothing to do with my frontend users, so it is quite confusing when it happens to them.

oooor, maybe this has been already solved in some way and i didnt look long enough for it? :see_no_evil:

@thguenther did you find a workaround?

Well, for this particular project I added a logout button to the frontend, reduced the timeout and gave admin users the same rights in the frontend. Not sure if the behavior changed in the meantime.

You could use a route.before hook to automatically log a user out when they try to access the panel/login path while they are already logged in, for example:

'route:before' => function ($route, $path, $method) {
	if ($path === 'panel/login' && $user = kirby()->user()) {
		$permissions = $user->role()->permissions()->toArray()['access'];
		if (($permissions['panel'] ?? true) !== true) {
			kirby()->user()->logout();
		}
	}
}

Or you just die:

'route:before' => function ($route, $path, $method) {
	if ($path === 'panel/login' && $user = kirby()->user()) {
		$permissions = $user->role()->permissions()->toArray()['access'];
		if (($permissions['panel'] ?? true) !== true) {
			die('You are already logged in');
		}
	}
}

Or send the user to a page with explanations…

thank you sonja! that was exactly what i needed :slight_smile: