Bug #103577
open
A valid frontend user does not see protected pages if the current backend user does not have the right to preview
0%
Description
Consider the following page tree:
Root
|__ Login
|
|__ protected (extend to subpages)
|
|__ Intermediate page I (not explicitly protected, no extend to subpages)
| |
| |__ Page A
|
|__ Intermediate page II (not explicitly protected, extend to subpages)
|
|__ Page B
There exist both a backend and a frontend user:
- Backend user without mount from page tree
- Frontend user with access rights to all protected pages.
Scenario A:
Only the FE user is logged in. All protected pages are visible.
Scenario B:
No user is logged in. All protected pages are not visible.
Scenario C:
Both users (FE and BE) are logged into the same browser at the same time.
Page A is not visible (access denied), page B is visible.
Problem:
Scenario A and B behave correctly, scenario C should behave like scenario A in this case.
Cause:
TYPO3 checks in cms-frontend/Classes/Middleware/PreviewSimulator.php whether a backend preview should be generated. This is the case, for example, if a page has 'extendToSubpages' = true in the rootline and the access rights of the page are restricted. When extendToSubpages is found for the first time, the search in the rootline is aborted.
If a backend preview is to be generated, the system only checks whether the BE user has the necessary rights to view it. If this is not the case, an AccessDeniedAction is called ( cms-frontend/Classes/Middleware/TypoScriptFrontendInitialization.php:100 ). The rights of the FE user are then not taken into account at all.
Updated by Harald Witt about 1 month ago
- PHP Version changed from 8.1 to 8.2
- Complexity set to medium
I can confirm this behavior, except "Scenario C". I think the opposite is the case or I misunderstood.
For clearness:
The problem occurs for subpages of a page with "extendToSubpages" set to on.
And the problem only occurs for pages that are not visable in the backend page tree.
For these pages an error 403 (forbidden) is thrown. Using a second instance of the same browser doesn't help.
So the following workarounds are in place:
Separately protect each page and omit the "extendToSubpages" feature :-(
Use two different browsers for frontend and backend :-(
Open at least one of frontend / backend in an incognito window :-(
But for e. g. a news_preview the latter two workarounds doesn't help because always a new tab is opened.
For this case you can e. g. allow read access for everyone to the news detail page in the backend AND give a DB-mount of this page to all news-editors.