TYPO3 Core

I stumbled upon the following scenario:

I have a page which is restricted to logged in users. The virtual group "show at any login" has the id -2. My expectation is that users with a login (active, valid session) should be able to access that page.

That user however, does not have any group assigned.

When \TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication::createUserAspect() assembles all groups of a user, it only assigns -2 if the user already has at least one group assigned.

$userGroups = [0];
$isUserAndGroupSet = is_array($this->user) && !empty($this->userGroups);
if ($isUserAndGroupSet) {
    // group -2 is not an existing group, but denotes a 'default' group when a user IS logged in.
    // This is used to let elements be shown for all logged in users!
    $userGroups[] = -2;
    $groupsFromUserRecord = array_keys($this->userGroups);
} else {
    // group -1 is not an existing group, but denotes a 'default' group when not logged in.
    // This is used to let elements be hidden, when a user is logged in!
    $userGroups[] = -1;
    if ($respectUserGroups) {
        // For cases where logins are not banned from a branch usergroups can be set based on IP masks so we should add the usergroups uids.
        $groupsFromUserRecord = array_keys($this->userGroups);
    } else {
        // Set to blank since we will NOT risk any groups being set when no logins are allowed!
        $groupsFromUserRecord = [];
    }
}

So I think this is a bug, actually. Users without a user group, that are logged in, should be given the -2 group.