Project

General

Profile

Actions

Bug #103577

open

A valid frontend user does not see protected pages if the current backend user does not have the right to preview

Added by Oliver Heins 8 months ago. Updated about 1 month ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2024-04-09
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

Setup:
Consider the following page tree:
Root
   |__ Login
   |
   |__ protected (extend to subpages)
       |
       |__ Intermediate page I (not explicitly protected, no extend to subpages)
       |   |
       |   |__ Page A
       |
       |__ Intermediate page II (not explicitly protected, extend to subpages)
           |
           |__ Page B

There exist both a backend and a frontend user:
  • Backend user without mount from page tree
  • Frontend user with access rights to all protected pages.

Scenario A:
Only the FE user is logged in. All protected pages are visible.

Scenario B:
No user is logged in. All protected pages are not visible.

Scenario C:
Both users (FE and BE) are logged into the same browser at the same time.
Page A is not visible (access denied), page B is visible.

Problem:
Scenario A and B behave correctly, scenario C should behave like scenario A in this case.

Cause:
TYPO3 checks in cms-frontend/Classes/Middleware/PreviewSimulator.php whether a backend preview should be generated. This is the case, for example, if a page has 'extendToSubpages' = true in the rootline and the access rights of the page are restricted. When extendToSubpages is found for the first time, the search in the rootline is aborted.
If a backend preview is to be generated, the system only checks whether the BE user has the necessary rights to view it. If this is not the case, an AccessDeniedAction is called ( cms-frontend/Classes/Middleware/TypoScriptFrontendInitialization.php:100 ). The rights of the FE user are then not taken into account at all.

Actions

Also available in: Atom PDF