Bug #95728
closedBackend user login domain restriction not working properly
0%
Description
When creating a BE user you can use the options tab and restrict the user login to a certain domain, say www.example-url.com.
The user then can login here: www.example-url.com/typo3
If the server is accessable via another domain, too, say www.other-url.com, the user can also call www.other-url.com/typo3 and login there. This should not be allowed.
Moreover when the user is logged in, he can see the BE but not the page tree or other elements.
The following error mesage (DE) is displayed:
"Seitenbaumfehler
Unerwartete Antwort vom Server erhalten. Bitte überprüfen Sie die Protokolle für mehr Details."
This is especially a problem for multi site systems because a lot of domains point to the same server. A user can guess other domains and try to login. And this my result in a security problem also.
Maybe one should deny the login via another domain than specified (here: www.example-url.com) completely?
Files