Permission problems trying to duplicate a page via custom API endpoint

I’m hitting permissions problems in a custom API endpoint that attempts to duplicate and then update a page.

TL;DR: It seems that using $kirby->impersonate('kirby'); is not actually elevating the permissions.

Here’s the code:

<?php

Kirby::plugin('my/customPreview', [
   'api' => [
      'routes' => function ($kirby) {
         return [
            [
               'pattern' => 'save-custom-draft',
               'method' => 'POST',
               'action' => function () use ($kirby) {
                  // Creates a preview version of the file with the in-memory data (i.e. the data that's yet to be saved) for use 
                  // in our Lambda function that builds a Netlify preview.

                  $kirby->impersonate('kirby');

                  // Create the name, using our naming structure of `internal-preview-[slug]`
                  $tempName = 'internal-preview-' . $this->requestBody('slug');

                  // Duplicate the published file (this creates a Kirby draft by default)
                  $tempCopy = $kirby->page($tempName) ? $this->page($tempName) : $kirby->page($this->requestBody('slug'))->duplicate($tempName);

                  // Update the duplicated file with our in-memory data
                  $tempCopy->update($this->requestBody('data'), $this->language(), false);

                  return new Response(null, null, 204);
               }
            ]
         ];
      }
   ]
]);

I suspect this may be a bug but I’m not sure. That returns a 403. The kirby->impersonate('kirby'); line doesn’t seem to actually elevate the permissions. Note that I’ve also tried using an existing admin’s email and an existing admin’s id in place of kirby but am seeing the same issue.

For context: How to save a custom draft from the panel (using the API) - #10

Impersonating a Kirby user in an API route shouldn’t even be necessary since the API requires authentication, anyway.

What does $this->page($tempName) return?

$this->page($tempName) is undefined by default (since there’s initially no draft created). But commenting all of that out and simply trying to duplicate a page returns the same permission error. Here’s a simplified version of the code to better illustrate the problem:

<?php

Kirby::plugin('my-plugin/customDraft', [
   'api' => [
      'routes' => function ($kirby) {
         return [
            [
               'pattern' => 'save-custom-draft',
               'method' => 'POST',
               'action' => function () use ($kirby) {
                  $this->page('home')->duplicate('home-temp-test');

                  // Also tried and also return 403s
                  
                  // $kirby->page('home')->duplicate('home-temp-test');

                  // kirby()->page('home')->duplicate('home-temp-test');

                  return new Response(null, null, 204);
               }
            ]
         ];
      }
   ]
]);

Alright, figured out that the problem was due to setting duplicate: false in the page’s blueprint. This is a setting for the GitHub - mullema/k3-panel-view-extended: Quick fix for some missing features in the panel plugin, which I’m using to have more granular control of UI elements on specific pages. So simple! :man_facepalming:

I didn’t dare ask…