Re-logging in doesn't apply logged in user restrictions to content types

System Information
  • Strapi Version: 4.25.2
  • Operating System: Mac OSX (latest)
  • Database: postGRES
  • Node Version: v20.0.0.
  • NPM Version: 9.6.4
  • Yarn Version:

I login as a Super Admin. Then I login with an Editor user who has restricted access to certain content-types. On login and clicking through to the content manager, I can still see the content types the Super Admin has access to. If I refresh the page manually, the user role restrictions for the content-types is applied.

In the console I can see attempts to access the forbidden content types, and then a few 403s, then it manually refreshes the page, but this is not acceptable functionality.

I tried this on a clean version of Strapi to test if this was because of code or alterations I’d made - sadly no.

Has anyone else seen this issue. It seems like a significant front-end security issue in Strapi.

Any help would be much appreciated.

Kind regards,