Project

General

Profile

Actions

Bug #105866

open

Backend user access rights overrule frontend user access rights

Added by cosmoblonde GmbH 21 days ago. Updated 3 days ago.

Status:
Needs Feedback
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2024-12-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I have a website with restricted FE user access to most pages.
If there is no backend user logged in, then the restriction works as expected. My FE user can access all the pages where access is granted.

When there is also a backend user logged in into the TYPO3 backend (using the same browser; the FE user is still logged in), then only the frontend pages to which the backend user has access / edit rights in the TYPO3 backend can be viewed in the frontend.
This means that the frontend is not usable for the frontend user as long as he is simultaneously logged into the TYPO3 backend.

This TYPO3 website was migrated from an older version, where this problem did not exist.

The error is caused by the class vendor/typo3/cms-frontend/Classes/Middleware/TypoScriptFrontendInitialization.php
Since version 12 there is a check, which did not not exist before:

        // Check if backend user has read access to this page.
        if ($this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)
            && $this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)
            && !$GLOBALS['BE_USER']->doesUserHaveAccess($controller->page, Permission::PAGE_SHOW)
        ) {
            return GeneralUtility::makeInstance(ErrorController::class)->accessDeniedAction(
                $request,
                'ID was not an accessible page',
                $controller->getPageAccessFailureReasons(PageAccessFailureReasons::ACCESS_DENIED_PAGE_NOT_RESOLVED)
            );
        }

So if a backend user is logged in and the page is in preview mode, then the access to a page is based on the backend user access rights.
I would suggest to adjust this to:

        // Check if backend user has read access to this page.
        if ($this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)
            && $this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)
            && !$GLOBALS['BE_USER']->doesUserHaveAccess($controller->page, Permission::PAGE_SHOW)
        ) {
            $this->context->unsetAspect('frontend.preview');
        }

With that change the preview aspect is unset and the page can be accessed as expected.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #97176: Move BE_USER check of TSFE into middlewareClosedBenni Mack2022-03-13

Actions
Related to TYPO3 Core - Task #102856: Streamline TypoScriptFrontendItitializationClosed2024-01-18

Actions
Actions

Also available in: Atom PDF