Forums Bug Reports Thread

Default About-page body shown to all visitors instructs them to use the Admin menu

Patrick Bass · Jun 6 · 8 · 1 Locked
[Minor] [Normal Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 8:05pm

Area: Cross-cutting infra (audit p14) · Surface: /about (PageController@about, DEFAULT_ABOUT_BODY) · Dimension: ui-law · Severity: minor

Until a tenant writes its own About page, every public visitor to /about sees placeholder copy telling them to edit it via 'Admin → Site Pages → About Us'. That exposes admin navigation to end users who can't act on it (Law 6 spirit: users shouldn't see admin-only mechanics). It self-corrects once authored, but the default state ships an admin instruction to the public.

Evidence

platform/src/Controllers/PageController.php:38-41 — DEFAULT_ABOUT_BODY contains `A super admin can replace this text with your own story from <strong>Admin &rarr; Site Pages &rarr; About Us</strong>.` This is passed as $siteBody to site-pages/about.php (line 22 `$body = $page['body'] ?? self::DEFAULT_ABOUT_BODY;`) and rendered unconditionally inside `<div class="post-content"><?= $siteBody ?></div>` (templates/site-pages/about.php:31) for EVERY visitor — anonymous and regular users alike — until a super admin authors the page. The page's Edit button is correctly gated by isSuperAdmin (about.php:19), but the body copy that names the admin navigation is not.

Suggested fix. Make the default About body customer-neutral (a welcome paragraph with no admin instructions), and surface the 'edit via Admin → Site Pages' hint only when isSuperAdmin is true (e.g. as an inline admin notice in about.php, not inside the public body).

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:49am

Resolved — fixed and deployed. Commit ea9f0311e960, shipped dev-first then to all tenants on 2026-06-06.

Rewrote PageController::DEFAULT_ABOUT_BODY to a customer-neutral two-paragraph welcome with no admin instructions (removed the 'A super admin can replace this from Admin -> Site Pages' line). The controller already passes isSuperAdmin to the template, so the 'edit via Admin -> Site Pages' hint can be surfaced as an admin-only inline notice in templates/site-pages/about.php; that template-side notice is outside this file but the required isSuperAdmin data is already plumbed through.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

[Enhancement] Admin deep-dive (trust/safety): Reported content is shown as raw text only — no inline preview/context of the offending post
Feature Requests · 1 replies · 20 views
Information disclosure: /tag/{slug} leaks thread titles + forum names from hidden / private / paid forums to anonymous visitors
Bug Reports · 1 replies · 16 views
Forum settings success/warning alerts use hardcoded dark text that is dark-on-dark in the default theme
Bug Reports · 1 replies · 11 views
Forum menu dropdown — redesign for clarity and visual polish
Feature Requests · 1 replies · 39 views
[Enhancement] Account (re-run): Notifications have no snooze / quiet-hours / do-not-disturb — only all-or-nothing per-channel toggles (Intercom, Slack, Circle all offer quiet hours)
Feature Requests · 1 replies · 17 views

Log in or register to reply to this thread.