Bug #105866
openBackend user access rights overrule frontend user access rights
0%
Description
I have a website with restricted FE user access to most pages.
If there is no backend user logged in, then the restriction works as expected. My FE user can access all the pages where access is granted.
When there is also a backend user logged in into the TYPO3 backend (using the same browser; the FE user is still logged in), then only the frontend pages to which the backend user has access / edit rights in the TYPO3 backend can be viewed in the frontend.
This means that the frontend is not usable for the frontend user as long as he is simultaneously logged into the TYPO3 backend.
This TYPO3 website was migrated from an older version, where this problem did not exist.
The error is caused by the class vendor/typo3/cms-frontend/Classes/Middleware/TypoScriptFrontendInitialization.php
Since version 12 there is a check, which did not not exist before:
// Check if backend user has read access to this page.
if ($this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)
&& $this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)
&& !$GLOBALS['BE_USER']->doesUserHaveAccess($controller->page, Permission::PAGE_SHOW)
) {
return GeneralUtility::makeInstance(ErrorController::class)->accessDeniedAction(
$request,
'ID was not an accessible page',
$controller->getPageAccessFailureReasons(PageAccessFailureReasons::ACCESS_DENIED_PAGE_NOT_RESOLVED)
);
}
So if a backend user is logged in and the page is in preview mode, then the access to a page is based on the backend user access rights.
I would suggest to adjust this to:
// Check if backend user has read access to this page.
if ($this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)
&& $this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)
&& !$GLOBALS['BE_USER']->doesUserHaveAccess($controller->page, Permission::PAGE_SHOW)
) {
$this->context->unsetAspect('frontend.preview');
}
With that change the preview aspect is unset and the page can be accessed as expected.