Project

General

Profile

Actions
Copy link

Bug #104629

open

403 for pages in FE if admin-panel active and non-admin user opens page with no permission in BE

Added by Sybille Peters 6 months ago. Updated 16 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2024-08-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

This problem only occurs if "Show hidden pages" or "Show hidden records" is activated in admin panel (possibly also in other scenarios).

If all filters in the admin-panel settings are off, I cannot reproduce the problem.

I marked this as regression, because it appeared in v12, does not occur in v11.

Reproduce

1. Login or switchuser as non-admin user with restricted access (not all pages)
2. Open page in FE
3. Activate admin-panel, activate "Show hidden pages"
4. Click on a link to a page the user has no access to (e.g. start page)

Now, we see a 403 error.

  1. Versions
  • 12.4.18

Files

adm.png (9.68 KB) adm.png Sybille Peters, 2024-08-15 09:07

Related issues 4 (2 open2 closed)

Related to TYPO3 Core - Bug #101589: Frontend page not accessible if be_user is logged inUnder Review2023-08-05

Actions
Related to TYPO3 Core - Bug #105866: Backend user access rights overrule frontend user access rightsNeeds Feedback2024-12-28

Actions
Related to TYPO3 Core - Task #97176: Move BE_USER check of TSFE into middlewareClosedBenni Mack2022-03-13

Actions
Related to TYPO3 Core - Task #102856: Streamline TypoScriptFrontendItitializationClosed2024-01-18

Actions
Actions
Copy link
 #1

Updated by Sybille Peters 17 days ago

I can reproduce this with the latest v14 version as well (dev-main).

Same as described above, if the admin-panel is enabled and Preview "Show hidden pages" is active and the user clicks on a page he does not have access to.

hint: must set user tsconfig:

admPanel.enable.all = 1
Actions
Copy link
 #2

Updated by Sybille Peters 16 days ago

  • Related to Bug #101589: Frontend page not accessible if be_user is logged in added
Actions
Copy link
 #3

Updated by Sybille Peters 16 days ago

  • Related to Bug #105866: Backend user access rights overrule frontend user access rights added
Actions
Copy link
 #4

Updated by Sybille Peters 16 days ago

There are some related issue (see above under "Related issues").

Info from core Slack Stefan:

"not the same, but related. The adminpanel influences the frontend preview settings (show/hide hidden records) - can view hidden pages in the frontend etc.
And the place in the latest patch relates to "fe user <-> be user" setting which is basic requirement for adminpanel anyway. All of these operates on same things, and at least are related and needs to be analyzed together and not each on it's own"

Actions
Copy link
 #5

Updated by Sybille Peters 16 days ago

  • Related to Task #97176: Move BE_USER check of TSFE into middleware added
Actions
Copy link
 #6

Updated by Sybille Peters 16 days ago

  • Related to Task #102856: Streamline TypoScriptFrontendItitialization added
Actions
Copy link

Also available in: Atom PDF