Opening the code editor (/canvas/code-editor/component/*) crashes with a fatal error boundary if the current user does not have the "administer brand kit" permission.
The code editor loads normally. Users without the brand kit permission should simply not see the brand kit sidebar panel, which is already correctly gated.
useGetCodeEditorData fetches brand_kit/global unconditionally on every code editor load. When the API returns 403, errorGetBrandKit is set and showBoundary() is called, crashing the entire code editor.
In useGetCodeEditorData.ts:
useGetAutoSaveQueryBrandKit is called with no permission guard — the brand kit API is always fetched regardless of whether the user has the brandKit permission.isSuccess requires the brand kit fetch to succeed, blocking the editor from initializing.showBoundary(), making it a fatal crash.The brand kit sidebar panel is correctly gated (!hasPermission('brandKit') || !devMode), but the underlying data fetch is not.
Skip the brand kit fetch from auto-save when the user lacks the brandKit permission (mirror the existing panel permission gate)
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #4
penyaskitoComment #5
penyaskitoDisclosure: MR was Claude assisted. I reviewed it and understand every single line.
Comment #6
penyaskitoTagging needs tests. This bug is quite annoying and blocking several stuff, so can definitely be in a follow-up MR.
Comment #7
justafishComment #8
penyaskitoComment #9
penyaskitoFixed one of the flaky tests AI-assisted. I'm not even sure how this would ever pass.
But now: phpstan 2.1.43 released 1 hour ago, enough proof that the world hates me.
Comment #11
penyaskitoLeaving open for a new test. I think @justafish has something, so assigning to her (feel free to unassign if I'm wrong)