Bug #104629
open
403 for pages in FE if admin-panel active and non-admin user opens page with no permission in BE
0%
Description
This problem only occurs if "Show hidden pages" or "Show hidden records" is activated in admin panel (possibly also in other scenarios).
If all filters in the admin-panel settings are off, I cannot reproduce the problem.
I marked this as regression, because it appeared in v12, does not occur in v11.
Reproduce¶
1. Login or switchuser as non-admin user with restricted access (not all pages)2. Open page in FE
3. Activate admin-panel, activate "Show hidden pages"
4. Click on a link to a page the user has no access to :
- page is not in file mount
- user has no read access (e.g. page has different owner and only permssions allowed for owner in Access module)
Now, we see a 403 error.
Versions¶
- 12.4.18: reproduced (2024-08-15)
- main (v14): reproduced (2025-03-06)
Files
Updated by Sybille Peters about 2 months ago
I can reproduce this with the latest v14 version as well (dev-main).
Same as described above, if the admin-panel is enabled and Preview "Show hidden pages" is active and the user clicks on a page he does not have access to.
hint: must set user tsconfig:
admPanel.enable.all = 1
Updated by Sybille Peters about 2 months ago
- Related to Bug #101589: Frontend page not accessible if be_user is logged in added
Updated by Sybille Peters about 2 months ago
- Related to Bug #105866: Backend user access rights overrule frontend user access rights added
Updated by Sybille Peters about 2 months ago
There are some related issue (see above under "Related issues").
Info from core Slack Stefan:
"not the same, but related. The adminpanel influences the frontend preview settings (show/hide hidden records) - can view hidden pages in the frontend etc.
And the place in the latest patch relates to "fe user <-> be user" setting which is basic requirement for adminpanel anyway. All of these operates on same things, and at least are related and needs to be analyzed together and not each on it's own"
Updated by Sybille Peters about 2 months ago
- Related to Task #97176: Move BE_USER check of TSFE into middleware added
Updated by Sybille Peters about 2 months ago
- Related to Task #102856: Streamline TypoScriptFrontendItitialization added
Updated by Sybille Peters 11 days ago
patch https://review.typo3.org/c/Packages/TYPO3.CMS/+/80405 resolves issue (tested with patchset 6)
Updated by Sybille Peters 11 days ago
- Related to Bug #87392: Subpages of hidden pages with extendToSubpages activated cannot be accessed even with backend login added
Updated by Sybille Peters 10 days ago
- Related to Bug #106336: 403 Page Not Found when previewing not hidden page of hidden parent, both with extendToSubpages=1 added