[BUG] - Possible to edit cookbook without being logged in

[phellarv]

First Check

• This is not a feature request.
• I added a very descriptive title to this issue (title field is above this).
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the Mealie documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

Go to https:///cookbooks without being logged in.
There you can edit cookbooks, again without being logged in.
This is a severe security issue.

Steps to Reproduce

1. Go to https:///cookbooks without being logged in.
2. There you can edit cookbooks, again without being logged in.
   

Please provide relevant logs

INFO:     127.0.0.1:56788 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.16.40.1:10338 - "GET /api/explore/cookbooks/home?page=1&perPage=-1&orderBy=position&orderDirection=asc HTTP/1.1" 200 OK
INFO:     172.16.40.1:10338 - "GET /sw.js HTTP/1.1" 304 Not Modified

Mealie Version

Version - nightly
Build - 9bf2e3f

Deployment

Docker (Linux)

Additional Deployment Details

No response

[Kuchenpirat]

Hey, thanks for raising this issue.

I know that we currently have a few pages that are unsecured and can be accessed when a non logged-in user does access them directly. But the cookbook page is as far as i know not one of them and should reroute you to your last location.

I wasn't able to reproduce this on my instance nor on the demo instance.
E.G. by going to https://demo.mealie.io/g/home/cookbooks i get an 404 error (because router back is not accessible when directly navigating to that page)

Could you try to reproduce the problem on the demo page, or give more information about how to reproduce it.

[phellarv]

Yes it's possible on the demo site.

The thing I did:
I have a wordpress blogg. There I have a menu item that is a Custom Link.
You can go to https://foodie.duckboot.net and click the menu item which is named mat to see the bug in action.

[Kuchenpirat]

Ok, this is verry weird.
I don't know exactly why the router back would not be working when comming from a different source. Good news is that i was already working on adressing this for pretty much all pages, so this will be fixed within the next days.

Thanks for helping me reproduce this!

[michael-genson]

Strange that you can directly link there, but only in certain instances.

This isn't a security issue because you can't actually edit the cookbook, it just looks like you can