Plone 6 - Anonymous user sees a partial control panel

When I visit /controlpanel in a new Plone 6 site, as an anonymous user, I see a partial controlpanel.
This is a bit weird.

Volto is fully integrated with the backend. That means, if you're expecting to see a 403 on this page, then whatever endpoint is called on the controlpanels page should yield forbidden. If it returns valid information (I wouldn't call it harmless, as this would probably not pass a security audit), Volto will show it. returns

Sorry, something went wrong with your request

Cannot read property 'replace' of undefined


returns a login form

This is an endpoint called /controlpanel not /@@overview-controlpanel.
Take a look for your self:

The /controlpanel is the "route" in Volto terms. But if you check the network requests made by the page, you'll see calls to the @controlpanels restapi endpoint.

curl '' \
  -H 'Connection: keep-alive' \
  -H 'sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"' \
  -H 'Accept: application/json' \
  -H 'DNT: 1' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer:' \
  -H 'Accept-Language: en,ro-RO;q=0.9,ro;q=0.8' \
  -H 'Cookie: lang=en; I18N_LANGUAGE=en' \

In any case, I'm mostly wrong. The controlpanels endpoint is empty, I think those buttons are hardcoded.

Yes... it looks like some kind of hardcoding that shouldn't be there for anonymous users. I figure it is harmless but possibly confusing.