Editor opening staff settings/profile triggers forbidden API calls and unrelated permission toast #26607
Description
Issue Summary
We encountered a problem where our editors and authors cannot use the Ghost admin panel properly. I deployed the latest copy of Ghost locally and see that the problem also persists.
When logged in as an Editor, opening the staff settings route and viewing an editor profile triggers admin API calls that require higher permissions.
This results in noisy 403 errors and an unrelated toast:
"You do not have permission to browse members"
The interface also becomes unresponsive (clicks on other items in the sidebar do not work).
The same applies to other roles other than administrator, author, and contributor.
I recorded a video demonstrating this problem:
ghost-issue.mov
Steps to Reproduce
- Create a Ghost site (tested on local install).
- Have at least 2 users:
- Owner/Admin
- Editor
- Log in as Editor.
- Open
http://localhost:2369/ghost/#/settings/staff?tab=editors(or#/settings/staff). - Try clicking something in the sidebar; it is not clickable.
Ghost Version
6.19.2
Node.js Version
22.18.0
How did you install Ghost?
Ghost Locally, macOS 26.3, Google Chrome 145.0.7632.117
Database type
SQLite3
Browser & OS version
macOS 26.3, Google Chrome 145.0.7632.117
Relevant log / error output
[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/members/?limit=1" 403 70ms
NAME: NoPermissionError
MESSAGE: You do not have permission to browse members
level: normal
NoPermissionError: You do not have permission to browse members
at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)
[2026-02-26 09:58:13] ERROR "GET /ghost/api/admin/identities/" 403 124ms
NAME: NoPermissionError
MESSAGE: You do not have permission to read identities
level: normal
NoPermissionError: You do not have permission to read identities
at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)
[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/members/?limit=1" 403 119ms
NAME: NoPermissionError
MESSAGE: You do not have permission to browse members
level: normal
NoPermissionError: You do not have permission to browse members
at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)
[2026-02-26 09:58:32] ERROR "GET /ghost/api/admin/identities/" 403 98ms
NAME: NoPermissionError
MESSAGE: You do not have permission to read identities
level: normal
NoPermissionError: You do not have permission to read identities
at /Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/services/permissions/can-this.js:101:43
at async nonePublicAuth (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/core/server/api/endpoints/utils/permissions.js:44:24)
at async sequence (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/node_modules/@tryghost/promise/lib/sequence.js:16:22)
at async getResponse (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:258:17)
at async ImplWrapper (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/pipeline.js:264:30)
at async Http (/Users/denis/Local Sites/ghost-vanilla/versions/6.19.2/node_modules/@tryghost/api-framework/lib/http.js:70:28)Code of Conduct
- I agree to be friendly and polite to people in this repository