Fixed #17694

Author: brandonkelly

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Fixed a bug where reference tags that only referenced an entry’s slug weren’t resolving.
+- Fixed a race condition that could cause “User is not authorized” errors in the control panel. ([#17694](https://github.com/craftcms/cms/issues/17694))
 
 ## 4.16.8 - 2025-07-25
 

src/behaviors/SessionBehavior.php

@@ -24,6 +24,8 @@
  */
 class SessionBehavior extends Behavior
 {
+    private const AUTH_LOCK_NAME = 'authAccess';
+
     /**
      * @var string|null The session variable name used to store the authorization keys for the current session.
      * @see authorize()
@@ -266,12 +268,19 @@ public function broadcastToJs(string|array $message): void
      */
     public function authorize(string $action): void
     {
+        $mutex = Craft::$app->getMutex();
+        $locked = $mutex->acquire(self::AUTH_LOCK_NAME, 5);
+
         $access = $this->owner->get($this->authAccessParam, []);
 
         if (!in_array($action, $access, true)) {
             $access[] = $action;
             $this->owner->set($this->authAccessParam, $access);
         }
+
+        if ($locked) {
+            $mutex->release(self::AUTH_LOCK_NAME);
+        }
     }
 
     /**
@@ -281,13 +290,20 @@ public function authorize(string $action): void
      */
     public function deauthorize(string $action): void
     {
+        $mutex = Craft::$app->getMutex();
+        $locked = $mutex->acquire(self::AUTH_LOCK_NAME, 5);
+
         $access = $this->owner->get($this->authAccessParam, []);
         $index = array_search($action, $access, true);
 
         if ($index !== false) {
             array_splice($access, $index, 1);
             $this->owner->set($this->authAccessParam, $access);
         }
+
+        if ($locked) {
+            $mutex->release(self::AUTH_LOCK_NAME);
+        }
     }
 
     /**