Bug #104629
open
403 for pages in FE if admin-panel active and non-admin user opens page with no permission in BE
Added by Sybille Peters 7 months ago.
Updated 18 days ago.
Description
This problem only occurs if "Show hidden pages" or "Show hidden records" is activated in admin panel (possibly also in other scenarios).
If all filters in the admin-panel settings are off, I cannot reproduce the problem.
I marked this as regression, because it appeared in v12, does not occur in v11.
Reproduce¶
1. Login or switchuser as non-admin user with restricted access (not all pages)
2. Open page in FE
3. Activate admin-panel, activate "Show hidden pages"
4. Click on a link to a page the user has no access to :
- page is not in file mount
- user has no read access (e.g. page has different owner and only permssions allowed for owner in Access module)
Now, we see a 403 error.
Versions¶
- 12.4.18: reproduced (2024-08-15)
- main (v14): reproduced (2025-03-06)
Files
I can reproduce this with the latest v14 version as well (dev-main).
Same as described above, if the admin-panel is enabled and Preview "Show hidden pages" is active and the user clicks on a page he does not have access to.
hint: must set user tsconfig:
admPanel.enable.all = 1
- Related to Bug #101589: Frontend page not accessible if be_user is logged in added
- Related to Bug #105866: Backend user access rights overrule frontend user access rights added
There are some related issue (see above under "Related issues").
Info from core Slack Stefan:
"not the same, but related. The adminpanel influences the frontend preview settings (show/hide hidden records) - can view hidden pages in the frontend etc.
And the place in the latest patch relates to "fe user <-> be user" setting which is basic requirement for adminpanel anyway. All of these operates on same things, and at least are related and needs to be analyzed together and not each on it's own"
- Related to Task #97176: Move BE_USER check of TSFE into middleware added
- Related to Task #102856: Streamline TypoScriptFrontendItitialization added
- Description updated (diff)
- Related to Bug #87392: Subpages of hidden pages with extendToSubpages activated cannot be accessed even with backend login added
- Related to Bug #106336: 403 Page Not Found when previewing not hidden page of hidden parent, both with extendToSubpages=1 added
Also available in: Atom
PDF
Updated by