Project

General

Profile

Actions
Copy link

Bug #106343

open

403 and misleading error in FE when NOT logged in if page is descendant of hidden=1 and extendToSubpages=1

Added by Sybille Peters 16 days ago. Updated 15 days ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
-
Start date:
2025-03-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
14
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Reproduce

prerequisites:
  • we are not logged in the BE
  • there is no access restriction on the page (e.g. FE user)

1. Create a page test with hidden=1 and extendToSubpages=1
2. Create a not hidden subpage test2
3. Load the page test2 in the frontend (not logged in the backend)

We expect to get a 404 (like for hidden pages), but we get a 403:

Error message

403
Page Not Found
The page did not exist or was inaccessible. Reason: Subsection was found and not accessible

Also, the error message is misleading and non-intuitive.

(I tried to find existing issue but found lots of issues with preview. This is about not being logged in the BE and there is no FE user or access restriction).

Versions

  • reproduced with latest main (14.0.0-dev)
  • also reproduced with latest v12 (12.4.28-dev)
Actions
Copy link
 #1

Updated by Sybille Peters 16 days ago

In PageInformationFactory::checkRootlineForIncludeSection we set the 403 and error code PageAccessFailureReasons::ACCESS_DENIED_SUBSECTION_NOT_RESOLVED for a variety of reasons as $this->accessVoter->accessGrantedForPageInRootLine also returns false if page in rootline is extendToSubpages and hidden.

protected function checkRootlineForIncludeSection(ServerRequestInterface $request, PageInformation $pageInformation): void
{
    $rootLine = $pageInformation->getRootLine();
    for ($a = 0; $a < count($rootLine); $a++) {
        $rootLineEntry = $rootLine[$a];
        if (!$this->accessVoter->accessGrantedForPageInRootLine($rootLineEntry, $this->context)) {
        // accessGrantedForPageInRootLine() does the main check for 'extendToSubpages'.
        $response = $this->errorController->accessDeniedAction(
            $request,
            'Subsection was found and not accessible',
            [
                'code' => PageAccessFailureReasons::ACCESS_DENIED_SUBSECTION_NOT_RESOLVED,
                'sub_section' => [
                    0 => $rootLineEntry,
                ],
            ],
        );
        throw new PageInformationCreationFailedException($response, 1705337296);
        }
Actions
Copy link
 #2

Updated by Gerrit Code Review 15 days ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88541

Actions
Copy link
 #3

Updated by Gerrit Code Review 15 days ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88541

Actions
Copy link
 #4

Updated by Gerrit Code Review 15 days ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/88541

Actions
Copy link

Also available in: Atom PDF