Bug #16472

Non accessible Page And PageNotFound Handler.

Added by Alexander Opitz about 13 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Category:
Frontend
Target version:
-
Start date:
2006-08-15
Due date:
% Done:

100%

TYPO3 Version:
3.8
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

If a Page in Tree isn't accessible then the Variable pageNotFound is set. (To 1 if access rights are direct or 2 if access rights are from upper tree.)

The PageNotFound Handler reacts on that and goes to the 404 Page.

But that isn't always the right way, cause the function getPageAndRootline() (class.tslib_fe.php) looks for a page in the rootLine that can be accessed and this page should be shown. But that function do not set pageNotFound back to zero.

This problem may be older then 3.8.0, I don't know if the PageNotFound Handler reacts same way like in 3.8.x, the getPageAndRootline in class.tslib_fe.php is the same.
(issue imported from #M4047)

class.tslib_fe.php.1.diff View (1.61 KB) Administrator Admin, 2010-05-04 09:29


Related issues

Related to TYPO3 Core - Bug #23178: Wrong HTTP headers sent when trying to access pages that require login Closed 2010-07-14
Related to TYPO3 Core - Bug #32304: pageNotFound_handling target does not handle shortcuts Closed 2011-12-05
Related to TYPO3 Core - Bug #58728: Regression: unaccessible protected section with shortcut in rootline Closed 2014-05-12

Associated revisions

Revision 9ab3b9b5 (diff)
Added by Alexander Opitz over 5 years ago

[BUGFIX] Inaccessible pages on shortcuts/PageNotFound handler

The var pageNotFound is set, if the called page has access
restrictions. Afterwards starts a searching for an accessible page
in the rootline upwards.

If that page is a short link which also isn't accessible we stop
instead of searching again in this new rootline. Limiting this to a
maximum of 20 iterations to prevent endless loops.

If an accessible page is found we do not reset the pageNotFound var.
The PageNotFound handler reacts on this var and redirects to the 404
page instead of presenting the accessible page we found later on.

You can reproduce this with the introduction package, for example
change the access to the Example/Tables page to "Customer".
Afterwards go to http://yourdomain/?id=38 and you will see the 404
page. If you disable the pageNotFound_handling you will see the
content of the Example page.

Resolves: #16472
Releases: 6.2, 6.1
Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762
Reviewed-on: https://review.typo3.org/21390
Reviewed-by: Sascha Wilking
Tested-by: Sascha Wilking
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Revision 203c1eb9 (diff)
Added by Alexander Opitz over 5 years ago

[BUGFIX] Inaccessible pages on shortcuts/PageNotFound handler

The var pageNotFound is set, if the called page has access
restrictions. Afterwards starts a searching for an accessible page
in the rootline upwards.

If that page is a short link which also isn't accessible we stop
instead of searching again in this new rootline. Limiting this to a
maximum of 20 iterations to prevent endless loops.

If an accessible page is found we do not reset the pageNotFound var.
The PageNotFound handler reacts on this var and redirects to the 404
page instead of presenting the accessible page we found later on.

You can reproduce this with the introduction package, for example
change the access to the Example/Tables page to "Customer".
Afterwards go to http://yourdomain/?id=38 and you will see the 404
page. If you disable the pageNotFound_handling you will see the
content of the Example page.

Resolves: #16472
Releases: 6.2, 6.1
Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762
Reviewed-on: https://review.typo3.org/29897
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein

History

#1 Updated by Alexander Opitz about 13 years ago

Here my rewritten getPageAndRootline function:

  1. Do not iterate more then 20 times
    function getPageAndRootline($itera=20) {
    $this->page = $this->sys_page->getPage($this->id);
    if (!count($this->page)) {
    // If no page, we try to find the page before in the rootLine.
    $this->pageNotFound=1; // Page is 'not found' in case the id itself was not an accessible page. code 1
    $this->rootLine = $this->sys_page->getRootLine($this->id,$this->MP);
    if (count($this->rootLine)) {
    $c=count($this->rootLine)-1;
    while($c>0) {

    // Add to page access failure history:
    $this->pageAccessFailureHistory['direct_access'][] = $this->rootLine[$c];

    // Decrease to next page in rootline and check the access to that, if OK, set as page record and ID value.
    $c--;
    $this->id = $this->rootLine[$c]['uid'];
    $this->page = $this->sys_page->getPage($this->id);
    if (count($this->page)){ break; }
    }
    }
    // If still no page...
    if (!count($this->page)) {
    if ($this->TYPO3_CONF_VARS['FE']['pageNotFound_handling']) {
    $this->pageNotFoundAndExit('The requested page does not exist!');
    } else {
    $this->printError('The requested page does not exist!');
    exit;
    }
    }

  2. A Page was found so reset to zero
    $this->pageNotFound=0;
    }
    // Is the ID a link to another page??
    if ($this->page['doktype']==4) {
    $this->MP = ''; // We need to clear MP if the page is a shortcut. Reason is if the short cut goes to another page, then we LEAVE the rootline which the MP expects.
    $this->page = $this->getPageShortcut($this->page['shortcut'],$this->page['shortcut_mode'],$this->page['uid']);
    $this->id = $this->page['uid'];
    }
    // Gets the rootLine
    $this->rootLine = $this->sys_page->getRootLine($this->id,$this->MP);

    // If not rootline we're off...
    if (!count($this->rootLine)) {
    $this->printError('The requested page didn\'t have a proper connection to the tree-root! <br /><br />('.$this->sys_page->error_getRootLine.')');
    exit;
    }

    // Checking for include section regarding the hidden/starttime/endtime/fe_user (that is access control of a whole subbranch!)
    if ($this->checkRootlineForIncludeSection()) {
    if (!count($this->rootLine)) {
    $this->printError('The requested page was not accessible!');
    exit;
    } else {

  3. There is an element up the rootline that is accessible
    if ($itera>0) {
  4. reset pageNotFound to zero
    $this->pageNotFound=0;
    $el = reset($this->rootLine);
    $this->id = $el['uid'];
  5. Revalidate that Page, it mayght be a Shortcut (Wasn't test before)
    $this->getPageAndRootline($itera-1);
    } else {
  6. Error if to much iterations
    $this->printError('The requested page was not accessible due to much shortcut loopings into non accessible pages!');
    exit;
    }
    }
    }
    }

#2 Updated by Alexander Opitz over 9 years ago

We are now at Typo3 Version 4.3.3 and the bug exists. No response and so on.

As I can't edit my own bug report, here the notice.

#3 Updated by Chris topher over 9 years ago

Hi Alexander,

thanks for your work!

You should send your patch to Core List! That is why it does not go on here...
Check out http://typo3.org/teams/core/core-mailinglist-rules/

By the way: It should read "due to too many shortcut loops" (not "due to much loops"). ;-)

#4 Updated by Alexander Opitz over 7 years ago

  • Target version deleted (0)

Again one year lost and Typo3 4.6 has this Problem!

#5 Updated by Ingo Renner over 7 years ago

  • File deleted (class.tslib_fe.php.patch)

#6 Updated by Gerrit Code Review almost 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/16359

#7 Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/16360

#8 Updated by Gerrit Code Review almost 7 years ago

Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at http://review.typo3.org/16361

#9 Updated by Alexander Opitz almost 7 years ago

Oh I forgott to mention, this patch also resolves the problem, if next accessible page is a shortcut to another page.

#10 Updated by Andreas Wolf over 6 years ago

  • Category changed from Communication to Frontend
  • Target version set to 6.0.2
  • TYPO3 Version changed from 3.8.0 to 6.0
  • PHP Version deleted (4)

We should definitely get this finally in...

Could you provide an exact specification on how to test (what page structure with which settings do I need)? Or - even better - upload a .t3d with a matching page structure.

#11 Updated by Alexander Opitz over 6 years ago

HowTo Reproduce:

- Install a TYPO3 with Introduction Package
- In the backend go to the Examples/Tables page and set its access to Customer
- Now go to http://yourdomain/?id=38

=> You will see the 404 site not found page.

- Now edit your typo3conf/localconf.php (or typo3conf/LocalConfiguration.php)
- Disable the page not found handling (you may found more then one entry in your typo3conf/localconf.php)

//$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] = t3lib_div::getIndpEnv('TYPO3_SITE_URL').'index.php?id=16';

or
    'FE' => array(
        //'pageNotFound_handling' => 'http://yourdomain/index.php?id=16',
    ),

- Reload the page

=> You will see the Example page.

#12 Updated by Alexander Opitz over 6 years ago

  • Assignee set to Alexander Opitz

#13 Updated by Alexander Opitz over 6 years ago

  • Target version deleted (6.0.2)
  • TYPO3 Version changed from 6.0 to 3.8

The problem occured in 3.8 so setting TYPO3 version back to 3.8

#14 Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/21390

#15 Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/21390

#16 Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/21390

#17 Updated by Clément MICHELET almost 6 years ago

Still not fixed in 6.1.6

Tree configuration :

Root page - Shortcut to first subpage
  • Page 1 - Hide at login + extends to subpage
    • Page 1.2
  • Page 2 - Show at any login + extends to subpage
    • Page 2.1
    • Page 2.2
      • Page 2.2.1
      • Page 2.2.2
    • Page 2.3

Environment Configuration :
pageNotFound_handling empty
No realurl enabled (yet)

Tests

With no login, request Page 2.2.2
Expected : Redirect to root page which redirect/shortcut to Page 1
Result: Display root page (which is a shortcut) as Page 2.2.2

With login, request Page 1.2
Expected : Redirect to root page which redirect/shortcut to Page 2
Result: Display root page (which is a shortcut) as Page 1.2

Workaround:
Apply access configurations on each subpages

#18 Updated by Gerrit Code Review over 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/21390

#19 Updated by Gerrit Code Review over 5 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/21390

#20 Updated by Gerrit Code Review over 5 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/21390

#21 Updated by Gerrit Code Review over 5 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/21390

#22 Updated by Gerrit Code Review over 5 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/21390

#23 Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29897

#24 Updated by Alexander Opitz over 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#25 Updated by Gregor Schreier over 5 years ago

There is a bug in the change https://review.typo3.org/29897

access restricted pages can't be handled by the pageNotFound_handling anymore if the user is not logged in - if pageNotFound_handling defined.

Given:
You have a page in an access restricted area.
Someone link to the page in the access restricted are directly - now you get the first page witch is accessible in the Rootline with an Status Code 200 - this is wrong - and you have no way to change the site or status code.
You have to tell google at least that the status for the page is 401 - Unauthorized

In TYPO3 6.2.1 the handling was correct and points to the pageNotFound_handling - if defined.

The Commit which brings this bug was:
https://git.typo3.org/Packages/TYPO3.CMS.git/commit/9ab3b9b5dd96ae0f955277a8997abb4bd69a66ff

line 1627:

// We found something so reset to zero
$this->pageNotFound = 0;

This reset the pageNotFound Status if the page is in an access-restricted area and was marked before as pageNotFound

in line 1589:

if (!count($this->page)) {
// If no page, we try to find the page before in the rootLine.
// Page is 'not found' in case the id itself was not an accessible page. code 1
$this->pageNotFound = 1;

best regards
gregor

#26 Updated by Alexander Opitz over 5 years ago

  • Is Regression set to No

Hmmm thats a real Chicken/Egg issue in the source.
We can't show the best page to the user if $this->pageNotFound is set or we can't send correct header data/status codes if we set $this->pageNotFound = 0.

The $this->pageNotFound also has 5 possible values and IMHO there are more issues about the header data/status codes and the pageNotFound handler and possible redirects.

#27 Updated by Alexander Stehlik over 5 years ago

Regression in #58728 :(

#28 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF