Skip registering elevated session routes when disabled

jasonvarga · claude · jasonvarga · commit 2f56836c3fb1 · 2026-04-21T11:28:45.000-04:00
Also exposes the flag to JS so the requireElevatedSession helper
short-circuits before hitting the (now absent) status endpoint.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/resources/js/components/elevated-sessions/index.js b/resources/js/components/elevated-sessions/index.js
@@ -1,6 +1,8 @@
 import axios from 'axios';
 
 export async function requireElevatedSession() {
+    if (!Statamic.$config.get('elevatedSessionEnabled')) return;
+
     const response = await axios.get(cp_url('elevated-session'));
 
     if (response.data.elevated) return;
diff --git a/routes/cp.php b/routes/cp.php
@@ -443,11 +443,13 @@
 
     Route::get('session-timeout', SessionTimeoutController::class)->name('session.timeout');
 
-    Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
-    Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
-    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
-    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
-    Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+    if (config('statamic.users.elevated_session_enabled')) {
+        Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
+        Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
+        Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
+        Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
+        Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+    }
 
     Route::get('playground', PlaygroundController::class)->name('playground');
 
diff --git a/routes/web.php b/routes/web.php
@@ -54,12 +54,14 @@
             Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
             Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action');
 
-            Route::middleware('auth')->group(function () {
-                Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
-                Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
-                Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
-                Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
-            });
+            if (config('statamic.users.elevated_session_enabled')) {
+                Route::middleware('auth')->group(function () {
+                    Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
+                    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
+                    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
+                    Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
+                });
+            }
 
             Route::group(['prefix' => 'passkeys'], function () {
                 Route::middleware('throttle:statamic.passkeys')->group(function () {
diff --git a/src/Http/View/Composers/JavascriptComposer.php b/src/Http/View/Composers/JavascriptComposer.php
@@ -64,6 +64,7 @@ private function protectedVariables()
             'ajaxTimeout' => config('statamic.system.ajax_timeout'),
             'googleDocsViewer' => config('statamic.assets.google_docs_viewer'),
             'focalPointEditorEnabled' => config('statamic.assets.focal_point_editor'),
+            'elevatedSessionEnabled' => config('statamic.users.elevated_session_enabled'),
             'user' => $this->user($user),
             'defaultPreferences' => Preference::default()->all(),
             'paginationSize' => config('statamic.cp.pagination_size'),
diff --git a/tests/Auth/ElevatedSessionDisabledTest.php b/tests/Auth/ElevatedSessionDisabledTest.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace Tests\Auth;
+
+use PHPUnit\Framework\Attributes\Group;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\User;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+#[Group('elevated-session')]
+class ElevatedSessionDisabledTest extends TestCase
+{
+    use PreventSavingStacheItemsToDisk;
+
+    private $user;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->user = User::make()->email('foo@bar.com')->makeSuper()->password('secret');
+        $this->user->save();
+    }
+
+    protected function getEnvironmentSetUp($app)
+    {
+        parent::getEnvironmentSetUp($app);
+
+        $app['config']->set('statamic.users.elevated_session_enabled', false);
+    }
+
+    #[Test]
+    public function cp_elevated_session_routes_are_not_registered()
+    {
+        $this->actingAs($this->user);
+
+        $this->get('/cp/elevated-session')->assertNotFound();
+        $this->get('/cp/elevated-session/passkey-options')->assertNotFound();
+        $this->post('/cp/elevated-session')->assertNotFound();
+        $this->get('/cp/elevated-session/resend-code')->assertNotFound();
+        $this->get('/cp/auth/confirm-password')->assertNotFound();
+    }
+
+    #[Test]
+    public function frontend_elevated_session_routes_are_not_registered()
+    {
+        $this->actingAs($this->user);
+
+        $this->get('/!/auth/confirm-password')->assertNotFound();
+        $this->post('/!/auth/elevated-session')->assertNotFound();
+        $this->get('/!/auth/elevated-session/passkey-options')->assertNotFound();
+        $this->get('/!/auth/elevated-session/resend-code')->assertNotFound();
+    }
+}
