When I visit /controlpanel in a new Plone 6 site, as an anonymous user, I see a partial controlpanel.
This is a bit weird.
Volto is fully integrated with the backend. That means, if you're expecting to see a 403 on this page, then whatever endpoint is called on the controlpanels page should yield forbidden. If it returns valid information (I wouldn't call it harmless, as this would probably not pass a security audit), Volto will show it.
https://6.demo.plone.org/@@overview-controlpanel returns
Sorry, something went wrong with your request
Cannot read property 'replace' of undefined
while
https://6-classic.demo.plone.org/login?came_from=/%40%40overview-controlpanel
returns a login form
This is an endpoint called /controlpanel not /@@overview-controlpanel.
Take a look for your self:
https://node2.plone6.steadydrummer.com/controlpanel
The /controlpanel is the "route" in Volto terms. But if you check the network requests made by the page, you'll see calls to the @controlpanels restapi endpoint.
curl 'https://node2.plone6.steadydrummer.com/api/++api++/@controlpanels' \
-H 'Connection: keep-alive' \
-H 'sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"' \
-H 'Accept: application/json' \
-H 'DNT: 1' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Referer: https://node2.plone6.steadydrummer.com/controlpanel' \
-H 'Accept-Language: en,ro-RO;q=0.9,ro;q=0.8' \
-H 'Cookie: lang=en; I18N_LANGUAGE=en' \
--compressed
In any case, I'm mostly wrong. The controlpanels endpoint is empty, I think those buttons are hardcoded.
Yes... it looks like some kind of hardcoding that shouldn't be there for anonymous users. I figure it is harmless but possibly confusing.