TYPO3 Core

Garvin Hicking wrote in #note-2:

I stumble across "but the current logged in frontend user" - at which point do you log into the frontend?

The website is an Intranet, so all pages are restricted to the access of frontend users only. The automatic login is done with Kerberos and the extension "causal/ig_ldap_sso_auth" (https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/)

Executing the preview on a specific page simulates a FE user, but your editor and fe user are not connected. If however you are logged in the FE and BE at the same time and then simulate, it could affect your session.

Yes, I am logged in as backend AND frontend user.

Have you tried this in a way where you are not logged into the frontend seperately, only with a backend login and the preview functionality?

I have now tested without a logged in frontend user and I get the same error 403, if I navigate to a page, which is not editable for the backend user. For this scenario, I would say, the error is correct, because I am not logged in as a frontend user and so I should not be able to see the page.

Thinking a little more about your comment @Garvin Hicking, I guess, that the frontend preview is granted to the pages of the current backend user only. The rights of the current frontend user are ignored. Maybe that's the issue? Shouldn't both rights (frontend and backend) be merged?

I must admit I haven't checked the code on this to be sure, but from my understanding, the BE user preview replaces a frontend user login by "logging in" with a fake frontend user that gets the permissions granted to view the current page. If you seperately browse to another page, your "actual" frontend user takes over, and then you only see what that FE user can see.

There should be a URL variable like "ADMCMD_simUser=2" that toggles that behavior; and that is only viable for those pages that are called with that variable. Normally the variable should be transferred over to all URLs when you navigate the page in the preview window. Does that happen for you?

Garvin Hicking wrote in #note-5:

I must admit I haven't checked the code on this to be sure, but from my understanding, the BE user preview replaces a frontend user login by "logging in" with a fake frontend user that gets the permissions granted to view the current page. If you seperately browse to another page, your "actual" frontend user takes over, and then you only see what that FE user can see.

That is exactly, what I would expect too.

There should be a URL variable like "ADMCMD_simUser=2" that toggles that behavior; and that is only viable for those pages that are called with that variable. Normally the variable should be transferred over to all URLs when you navigate the page in the preview window. Does that happen for you?

Yes, in my navigation, the parameter "?ADMCMD_simUser=1" is added for the preview of a backend user. It is always "?ADMCMD_simUser=1" regardless which user is logged in (not the backend user id) and it is added to all pages. Manually removing the parameter from the url does not stop throwing the 403 error for the pages, which are not allowed by the backend user.