TYPO3 Core

Setup:
Consider the following page tree:

Root
   |__ Login
   |
   |__ protected (extend to subpages)
       |
       |__ Intermediate page I (not explicitly protected, no extend to subpages)
       |   |
       |   |__ Page A
       |
       |__ Intermediate page II (not explicitly protected, extend to subpages)
           |
           |__ Page B

There exist both a backend and a frontend user:

• Backend user without mount from page tree
• Frontend user with access rights to all protected pages.

Scenario A:
Only the FE user is logged in. All protected pages are visible.

Scenario B:
No user is logged in. All protected pages are not visible.

Scenario C:
Both users (FE and BE) are logged into the same browser at the same time.
Page A is not visible (access denied), page B is visible.

Problem:
Scenario A and B behave correctly, scenario C should behave like scenario A in this case.

Cause:
TYPO3 checks in cms-frontend/Classes/Middleware/PreviewSimulator.php whether a backend preview should be generated. This is the case, for example, if a page has 'extendToSubpages' = true in the rootline and the access rights of the page are restricted. When extendToSubpages is found for the first time, the search in the rootline is aborted.
If a backend preview is to be generated, the system only checks whether the BE user has the necessary rights to view it. If this is not the case, an AccessDeniedAction is called ( cms-frontend/Classes/Middleware/TypoScriptFrontendInitialization.php:100 ). The rights of the FE user are then not taken into account at all.