Project

General

Profile

Actions

Bug #105567

open

Frontend preview not working on restricted pages for normal editors

Added by Chris no-lastname-given 28 days ago. Updated 28 days ago.

Status:
Needs Feedback
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2024-11-11
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Prerequisite:
All pages in the page tree are only allowed to access with a valid frontend user login.

How to reproduce
  • Log into TYPO3 with editor rights. The editor should have access to selected pages only!
  • Select a page in the page tree and click on preview
  • The preview will open
  • Navigate to to a page which the backend user has edit rights -> preview is working
  • Now navigate to a page which the editor has no rights to edit in TYPO3 but the current logged in frontend user is allowed to see
  • You will get an error 403

Maybe #96658 is related?

Tested with TYPO3 v12.4.22


Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Bug #96658: Frontend preview doesn't work on restricted pages, when any none-live-workspace is selectedUnder Review2022-01-27

Actions
Actions #1

Updated by Chris no-lastname-given 28 days ago

  • Related to Bug #96658: Frontend preview doesn't work on restricted pages, when any none-live-workspace is selected added
Actions #2

Updated by Garvin Hicking 28 days ago

  • Category set to Frontend
  • Status changed from New to Needs Feedback

I stumble across "but the current logged in frontend user" - at which point do you log into the frontend?

Executing the preview on a specific page simulates a FE user, but your editor and fe user are not connected. If however you are logged in the FE and BE at the same time and then simulate, it could affect your session.

Have you tried this in a way where you are not logged into the frontend seperately, only with a backend login and the preview functionality?

Actions #3

Updated by Chris no-lastname-given 28 days ago

Garvin Hicking wrote in #note-2:

I stumble across "but the current logged in frontend user" - at which point do you log into the frontend?

The website is an Intranet, so all pages are restricted to the access of frontend users only. The automatic login is done with Kerberos and the extension "causal/ig_ldap_sso_auth" (https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/)

Executing the preview on a specific page simulates a FE user, but your editor and fe user are not connected. If however you are logged in the FE and BE at the same time and then simulate, it could affect your session.

Yes, I am logged in as backend AND frontend user.

Have you tried this in a way where you are not logged into the frontend seperately, only with a backend login and the preview functionality?

I have now tested without a logged in frontend user and I get the same error 403, if I navigate to a page, which is not editable for the backend user. For this scenario, I would say, the error is correct, because I am not logged in as a frontend user and so I should not be able to see the page.

Actions #4

Updated by Chris no-lastname-given 28 days ago

Thinking a little more about your comment @Garvin Hicking, I guess, that the frontend preview is granted to the pages of the current backend user only. The rights of the current frontend user are ignored. Maybe that's the issue? Shouldn't both rights (frontend and backend) be merged?

Actions #5

Updated by Garvin Hicking 28 days ago

I must admit I haven't checked the code on this to be sure, but from my understanding, the BE user preview replaces a frontend user login by "logging in" with a fake frontend user that gets the permissions granted to view the current page. If you seperately browse to another page, your "actual" frontend user takes over, and then you only see what that FE user can see.

There should be a URL variable like "ADMCMD_simUser=2" that toggles that behavior; and that is only viable for those pages that are called with that variable. Normally the variable should be transferred over to all URLs when you navigate the page in the preview window. Does that happen for you?

Actions #6

Updated by Chris no-lastname-given 28 days ago

Garvin Hicking wrote in #note-5:

I must admit I haven't checked the code on this to be sure, but from my understanding, the BE user preview replaces a frontend user login by "logging in" with a fake frontend user that gets the permissions granted to view the current page. If you seperately browse to another page, your "actual" frontend user takes over, and then you only see what that FE user can see.

That is exactly, what I would expect too.

There should be a URL variable like "ADMCMD_simUser=2" that toggles that behavior; and that is only viable for those pages that are called with that variable. Normally the variable should be transferred over to all URLs when you navigate the page in the preview window. Does that happen for you?

Yes, in my navigation, the parameter "?ADMCMD_simUser=1" is added for the preview of a backend user. It is always "?ADMCMD_simUser=1" regardless which user is logged in (not the backend user id) and it is added to all pages. Manually removing the parameter from the url does not stop throwing the 403 error for the pages, which are not allowed by the backend user.

Actions

Also available in: Atom PDF