Skip to content

fix(debug): Restrict debug sidebar to backend users only #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
skerbis merged 2 commits into from
Dec 17, 2025
Merged

fix(debug): Restrict debug sidebar to backend users only #433

skerbis merged 2 commits into from
Dec 17, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 17, 2025
edited
Loading

The DEBUG sidebar was visible to all frontend visitors when debug mode was enabled, exposing sensitive debugging information (cookies, localStorage, consent status) to unauthenticated users.

Changes

  • fragments/ConsentManager/box_cssjs.php: Added backend session check before loading debug script
    • Calls rex_backend_login::createUser() to initialize user context
    • Checks rex_backend_login::hasSession() && null !== rex::getUser() before output
    • Mirrors existing security pattern in boot.php OUTPUT_FILTER extension

Before/After

Before:

// Debug-Script laden wenn Debug-Modus aktiviert
if (isset($consent_manager->domainInfo['google_consent_mode_debug'])
    && 1 === $consent_manager->domainInfo['google_consent_mode_debug']) {
    $googleConsentModeOutput .= '<script src="' . $debugScriptUrl . '"></script>';
    // Debug config and script loaded for EVERYONE
}

After:

// Debug-Script laden wenn Debug-Modus aktiviert UND User im Backend eingeloggt
if (isset($consent_manager->domainInfo['google_consent_mode_debug'])
    && 1 === $consent_manager->domainInfo['google_consent_mode_debug']) {
    rex_backend_login::createUser();
    if (rex_backend_login::hasSession() && null !== rex::getUser()) {
        $googleConsentModeOutput .= '<script src="' . $debugScriptUrl . '"></script>';
        // Debug config and script loaded ONLY for backend users
    }
}

Debug sidebar now only appears for authenticated backend administrators, preventing information disclosure to public visitors.

Original prompt

This section details on the original issue you should resolve

<issue_title>DEBUG-Seitenlasche im Frontend IMMER sichtbar</issue_title>
<issue_description>Rex 5.20.1 / CM Version 5.1.0

Wenn der CM auf "Debug" Mode steht, dann sollte die Seitenlasche die DEBUG-Infos nur für eingeloggte Backend-Nutzer sichtbar sein.

Das tut es nicht. Die Lasche wird IMMER eingeblendet, sobald der DEBUG-Modus aktiviert ist. Vermutlich ein kleiner Bug, da fehlt doch am Ende nur die Prüfung auf die Backend-Session vor der Ausgabe oder?

Gruß
Stefan</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@skerbis
fix(debug): Restrict debug sidebar to backend users only
2ebef7d 
Co-authored-by: skerbis <791247+skerbis@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix debug sidebar always visible for backend users fix(debug): Restrict debug sidebar to backend users only Dec 17, 2025
Copilot AI requested a review from skerbis December 17, 2025 10:56
@skerbis skerbis marked this pull request as ready for review December 17, 2025 16:58
Copilot AI review requested due to automatic review settings December 17, 2025 16:58
@skerbis skerbis merged commit f1e0303 into main Dec 17, 2025
8 checks passed
@skerbis skerbis deleted the copilot/fix-debug-sidebar-visibility branch December 17, 2025 16:58
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security vulnerability where the debug sidebar with sensitive information (cookies, localStorage, consent status) was visible to all frontend visitors when debug mode was enabled. The fix restricts debug script loading to authenticated backend users only.

Key Changes:

  • Added backend session validation before loading debug scripts in the fragment that renders consent box CSS/JS
  • Implemented the same security pattern already used in boot.php OUTPUT_FILTER extension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@skerbis skerbis Awaiting requested review from skerbis

Assignees

@skerbis skerbis

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DEBUG-Seitenlasche im Frontend IMMER sichtbar

2 participants

@skerbis