Upgrade to 2025.3.0 Can't Access Administration Page

heybrodes

Hello, I have upgraded from 2024.12.0 to 2025.3.0.
Everything works except being able to access the Administrator page after logging in. I have checked /home/cryptpad/config/config.js and made sure that there is an entry at adminKeys:
When trying to access the Administration page I get "Script Error: See browser console for details"
The browser console shows:

Error with Permissions-Policy header: Unrecognized feature: 'interest-cohort'.
sframe-boot.js?ver=1.11:46 Testing if CSP correctly blocks an 'eval' call
LessLoader.js?ver=2025.3.0-1743836968677:208 Compiling [/customize/src/less2/include/loading.less] took 6ms
LessLoader.js?ver=2025.3.0-1743836968677:208 Compiling [/customize/src/less2/include/loading.less] took 5ms
cryptpad-common.js?ver=2025.3.0-1743836968677:2792 Outer ready
cryptpad-common.js?ver=2025.3.0-1743836968677:2815 Posting CONNECT
admin/:1 Failed to fetch a worker script.
LessLoader.js?ver=2025.3.0-1743836968677:208 Compiling [/admin/app-admin.less] took 334ms
inner.js?ver=2025.3.0-1743836968677:4174 Status Object
sidebar-layout.js?ver=2025.3.0-1743836968677:163 Uncaught TypeError: Cannot read properties of undefined (reading 'split')
    at sidebar-layout.js?ver=2025.3.0-1743836968677:163:44
    at Array.map (<anonymous>)
    at blocks.table (sidebar-layout.js?ver=2025.3.0-1743836968677:162:45)
    at inner.js?ver=2025.3.0-1743836968677:258:31
    at sidebar.addItem (sidebar-layout.js?ver=2025.3.0-1743836968677:279:13)
    at andThen (inner.js?ver=2025.3.0-1743836968677:237:17)
    at inner.js?ver=2025.3.0-1743836968677:4222:9
    at waitFor (index.js?ver=2025.3.0-1743836968677:25:30)
    at inner.js?ver=2025.3.0-1743836968677:4180:13
    at waitFor (index.js?ver=2025.3.0-1743836968677:25:30)

Reaching out for some advice.

Cheers,
Brodes.

Mathilde

Hey,

heybrodes we had our principal engineer looking at the logs you shared in your first message. Weird thing is they don't match actual 2025.3.0 source code. Looking at the lines mentioned in the logs you provided, its completely different or even doesn't exist in our source code.

Did you applied the update properly? If you would like to privately share your instance URL, we could check this hypothesis for you.

Mathilde

Hello,

Thanks for reaching out and for your interest in CryptPad.

Please do use code blocks with Markdown formatting when sharing snippets and logs. It makes it much easier to read for everyone.

Regarding the issue in the logs you provided, it doesn't tells us a lot about the cause of the problem you might be facing. Have you checked the /checkup page of your instance? Did you followed the Upgrades notes from the previous release?

Hope this helps.

heybrodes

Thanks for responding.
The /checkup has:

https://cryptpad.example.com/pad/index.html is missing several attributes which provide better previews on social media sites and messengers. The administrator of this instance can generate them with npm run build.

Missing attributes:

meta[property="og:url"]
meta[property="og:type"]
meta[property="og:title"]
meta[property="og:description"]
meta[property="og:image"]
meta[property="twitter:card"]

I'm not really interested in providing these attributes, but I will if it resolves my issue. And yes I did follow the Upgrade notes.

heybrodes

I just ran npm run build and got 55/55 tests passed. Still can't access Administration page.

heybrodes

Digging a bit deeper I can see this in console:
Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site.

To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...), and setInterval([string], ...) for evaluating strings.

If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
⚠️ Allowing string evaluation comes at the risk of inline script injection.

Affected Resources
1 directive
Source location: frame-boot.js?ver=1.11:48
Directive: script-src
Status: blocked

Does this provide anymore clues?

AlexQ

@heybrodes Maybe a dumb question: So you can see the admin menu but you can't access it? The admin menu items are there, not missing? Maybe two screenshots would be helpful to make sure we all talk about the same:

CryptPad menu
error message in browser (main view / HTML view, not console)

Good luck.

Disclaimer:
I am NOT part of the CryptPad team and I do not speak for the CryptPad team. I am a user helping other users. I got moderation user rights for the forum from the CryptPad team to help a bit, because we all are the community, but that's all.

heybrodes

Hi, This is what I can see:
Image description
and then after I click on Administration (with the cog wheels) i get this response:

heybrodes

All other feature and functions work except accessing the Administrator menu. And yes I am the administrator and I haven't had an issue until the latest upgrade. Having said that could any of the customizations be affecting the way this is working?

AlexQ

@Mathilde Is the first posting in the thread the console log or is it incomplete? To me it was important to make sure, that the admin rights of heybrodes are not missing because of typos or so when I read the thread. Thanks and sorry.

Mathilde

AlexQ oops, my bad, I didn't took the time to read the whole thread again. The information is already here indeed. Nothing to be sorry for on your side!

We just need some time to look at it and see if it rings a bell for any of our developers.

heybrodes

Mathilde How best can I message you to privately share my URL?

Mathilde

heybrodes How best can I message you to privately share my URL?

See the contact page on our project website: https://cryptpad.org/contact/

Mathilde

Hello @heybrodes,

We received your email, thanks for the info.

Our principal engineer was able to take a look at your instance and it's serving both 2025.3.0 and 2024.12.0 code, depending on the files:

www/admin/inner.js is on 2025.3.0
www/common/inner/sidebar-layout.js is on 2024.12
www/common/translations/messages.json is on 2024.12

It's seems that all the www/common/ folder is serving the previous version. It's indeed likely coming from the changes you made into the customize/ folder.

Your instance being in such a state it shouldn't be considered secure, the changes you made likely impacted the cryptography parts of it.

We would advise to revert the customizations you made.

heybrodes

A big thanks to the Cryptpad team. I have removed the /customize/www folder and the Administration menu is now accessible. This raises the question though about customizations. They don't always carry with new versions as noted in the documentation.