TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692022-04-04T08:52:23ZTYPO3 Forge
Redmine TYPO3 Core - Epic #97289 (Accepted): Integrate security modulehttp://forge.typo3.org/issues/972892022-04-04T08:52:23ZOliver Haderoliver.hader@typo3.org
<p>(to be filled with more content/topics)</p>
<ul>
<li>move security related checks from reports module to new security module</li>
<li>add checks for existing security-related feature flags - and "enforce" secure settings</li>
</ul> TYPO3 Core - Epic #96521 (Closed): Enhance PhpStan coveragehttp://forge.typo3.org/issues/965212022-01-12T12:52:13ZOliver Haderoliver.hader@typo3.org
<ul>
<li>get rid of <code>checkThisOnly</code> & declare failing occurrences</li>
<li>upgrade to PhpStan ^1.3</li>
</ul> TYPO3 Core - Story #92091 (Closed): PageTree related flaws TYPO3 v9.5.20/21-dev or v10.4.6/7-devhttp://forge.typo3.org/issues/920912020-08-24T19:27:17ZOliver Haderoliver.hader@typo3.org
<p>Tracking ticket - see references sub tickets for details</p> TYPO3 Core - Story #91384 (Closed): Backend login and referrer problems after recent TYPO3 9.5.17...http://forge.typo3.org/issues/913842020-05-13T15:33:54ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Epic #87417 (New): Integrate proper Content Security Policy (CSP) handlinghttp://forge.typo3.org/issues/874172019-01-13T10:58:12ZOliver Haderoliver.hader@typo3.org
<p>In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.</p>
<p>The functionality is outlined like this</p>
<ul>
<li>CSP management & configuration module (either on a site level or for whole TYPO3 installation)</li>
<li>CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)</li>
<li>CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)</li>
<li>adjustment and refactoring of TYPO3 core components & guidelines for extension authors</li>
</ul> TYPO3 Core - Epic #84920 (New): Provide generic context based data retrieval APIhttp://forge.typo3.org/issues/849202018-05-03T14:50:35ZOliver Haderoliver.hader@typo3.org
<p>In order to avoid the requirement of specific knowledge of TYPO3 persistence behavior, such as localization or workspaces, a generic API to retrieve data shall be provided.</p>
The functional relies on these base parameters:
<ul>
<li>context (language, workspace)</li>
<li>permissions (pages, tables, fields, ..., context permissions)</li>
<li>optional behavior (language fallback, individual handling)</li>
</ul>
Basic functionality:
<ul>
<li>retrieve specific entities for the given base parameters (e.g. languages & workspaces resolved automatically)</li>
<li>retrieve any relational entities (children) for the given base parameters (not caring whether 1:n inline or m:n group/db has been defined)</li>
</ul>
Extended functionality:
<ul>
<li>retrieve data based on individual/custom query (fields, constraints, sorting)</li>
<li>retrieve data based on GraphQL query</li>
</ul> TYPO3 Core - Epic #84918 (New): Streamline Permission Layerhttp://forge.typo3.org/issues/849182018-05-03T14:41:43ZOliver Haderoliver.hader@typo3.org
<p>Concerning data handling and persistence, basically only the backend context is considered (in DataHandler, PageLayoutView et al). General permission handling in Extbase and other frontend related implementation is only implemented on the visibility of pages and frontend user groups.</p>
<p>In order to overcome these differences. Permission handling has to be generalized and used in affected components.<br />For instance as an impact, DataHandler does not rely on a BackendUserAuthentication (BE_USER) instance anymore, but on a generic Permission definition that can be used in backend and frontend context.</p> TYPO3 Core - Story #84917 (New): Make use of schema definition & relationship layerhttp://forge.typo3.org/issues/849172018-05-03T14:36:29ZOliver Haderoliver.hader@typo3.org
<ul>
<li>DataHandler, RelationHandler, DataMapProcessor</li>
<li>Extbase DataMapFactory, Storage Backend</li>
<li>FormEngine DataProviders, Containers</li>
<li>RootlineUtility</li>
</ul>
<p>... and more ...</p> TYPO3 Core - Story #84916 (New): Provide generic entity relationship modelhttp://forge.typo3.org/issues/849162018-05-03T14:30:00ZOliver Haderoliver.hader@typo3.org
<p>Expected goal</p>
<pre>
$contentSchemaDefinition = (new SomeService)->getSchemaDefinition('tt_content');
$fileReferenceSchemaDefinition = (new SomeService)->getSchemaDefinition('sys_file_reference');
var_dump($contentSchemaDefinition->getProperty('media')->getRelations());
var_dump($fileReferenceSchemaDefinition->getProperty('uid_foreign')->getRelations());
</pre>
<p>might output something like</p>
<pre>
# relations for tt_content.media
+ ActiveRelation: schemaName "sys_file_reference"
</pre>
<pre>
# relations for sys_file_reference.uid_foreign
+ PassiveRelation: schemaName "tt_content", propertyName: "image"
+ PassiveRelation: schemaName "tt_content", propertyName: "media"
+ PassiveRelation: schemaName "tt_content", propertyName: "assets"
</pre>
<p>Currently the "opposite usage" for relations is not explicitly known. In order to enhance look ups this information should be cached along with the plain schema definition (e.g. TCA).</p> TYPO3 Core - Story #84915 (New): Provide generic entity schema definitionhttp://forge.typo3.org/issues/849152018-05-03T14:19:06ZOliver Haderoliver.hader@typo3.org
<p>Expected goal</p>
<pre>
$factory = new TcaSchemaDefinitionFactory($GLOBALS['TCA']);
$schemaDefinition = $factory->buildForTable('tt_content');
$service = new SchemaDefinitionService();
$mediaProperty = $schemaDefinition->getProperty('media');
$service->isRelational(mediaProperty);
if ($service->getRelationType($mediaProperty) === Relation::TYPE_ONE_TO_MANY_COMPOSITION)) { ... }
</pre>
<p>The API above can still change. Besides that Extbase <code>DataMapFactory</code> could be considered as foundation as well.</p> TYPO3 Core - Epic #84914 (New): Streamline entity configuration layerhttp://forge.typo3.org/issues/849142018-05-03T14:08:35ZOliver Haderoliver.hader@typo3.org
<p>Entity configuration in TYPO3 is done by using TCA (table configuration array). Currently the interpretation of e.g. "what is a 1:n composition (IRRE)" is spread over multiple locations - most importantly to mention are DataHandler, Extbase and FormEngine - but there are much more.</p>
<p>In order to avoid individual (and possible) different interpretation of entity definitions and features and generic configuration shall be introduce to provide access to the the semantics of TCA and FlexForm data structures.</p> TYPO3 Core - Epic #81948 (Closed): Introduce system maintainershttp://forge.typo3.org/issues/819482017-07-24T13:59:09ZOliver Haderoliver.hader@typo3.org
<p>The bigger picture of this epic has been described in more detail on <a class="external" href="https://decisions.typo3.org/t/typo3-system-management-the-big-picture/252">https://decisions.typo3.org/t/typo3-system-management-the-big-picture/252</a></p>
<p>TL;DR: Separate current install tool into "system recovery" and "system management", replace current install tool password by system maintainers (backend users with extended permissions)</p>
<p>Existing backend users can be assigned with the role (just the meaning, generic roles are not implemented in this epic) of being a "system maintainer". Backend users (and system maintainers) can be created and assigned in a separate "system recovery" module (which is also not part of this epic). In the long run, the install tool password will vanish and be replaced with the new "system maintainer" role - for the time in between, until "system recovery" is ready, both authentication mechanisms are supported (install tool password and system maintainer username/password). Defining security aspects like saltedpasswords, rsaauth, openid, ... is also target of system recovery - thus, system maintenance can rely on these settings being defined and are working.</p>
<p>System maintainers are assigned by a static list of usernames or uids in a new <code>TYPO3_CONF_VARS</code> property. Using a new property like e.g. <code>be_users.is_maintainer</code> would have to be kept in sync with external authentication data-providers (like LDAP) and also would be the first target of possible security vulnerabilities concerning SQL injection. Besides that, using usernames in that list eases deployment on different environment, where the uid values might be different, but usernames are the same.</p> TYPO3 Core - Epic #77562 (Accepted): Misbehaviors with datetime values and timezoneshttp://forge.typo3.org/issues/775622016-08-21T21:00:33ZOliver Haderoliver.hader@typo3.org
<p>This issue serves as an umbrella collector.</p>
<p>We can do little to fix stuff in v7, but we shall fix a lot in v8.</p>
<p>The goals for v8 are:</p>
<ul>
<li>Same DB content as in v7</li>
<li>Values written to FormEngine must contain the server's timezone in the ISO-format</li>
<li>FormEngine JS must be aware of the timezone used in BE to write back correct values</li>
</ul> TYPO3 Core - Epic #58282 (Closed): Workspaces Workpackage #2http://forge.typo3.org/issues/582822014-04-28T10:47:28ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Epic #54851 (Closed): WP: Workspaces IRRE & MM bugfixeshttp://forge.typo3.org/issues/548512014-01-08T22:08:22ZOliver Haderoliver.hader@typo3.org
<p>The import and export functionality is available since the beginning of TYPO3 CMS. This backend module mostly relies on the internal DataHandler/TCEMain system of TYPO3. For TYPO3 6.2 LTS, the Core Team needs to improve the handling of the IRRE and MM relations within the import and export process.<br />Additionally, the import / export module must be able to handle exports which were generated in a pre-FAL-version of TYPO3 (e.g. like the last LTS Version 4.5) in order to be able to import directly to the FAL.<br />Since importing and exporting large sites via a web-backend leads to problems in runtime and memory limits, a CLI Module must be added.</p>
<p>Recent development can be found here:<br /><a class="external" href="https://github.com/ohader/TYPO3.CMS/commits/integration">https://github.com/ohader/TYPO3.CMS/commits/integration</a> (integration branch)<br /><a class="external" href="https://github.com/ohader/TYPO3.CMS/commits/bugfixes">https://github.com/ohader/TYPO3.CMS/commits/bugfixes</a> (development branch)</p>