Bug #23412
closed
admPanel configuration by TSconfig is buggy
0%
Description
Hi
we have done quite some debugging concerning the adminPanel configuration and found some bugs. a patch is supplied.
thanks for your answer.
Mike
part 1: analysis
On our website, we use some front-end preview and edit features offered by typo3.
We do not want the adminPanel to show, therefore we use some TSconfig in the back end user group to configure the adminPanel settings.
In an attempt to clean up our TS, we discovered some weird stuff regarding the configuration of the adminPanel.
here is some of our original TS:
admPanel {
hide = 1
enable.preview = 1
override.preview = 1override.preview.showHiddenPages = 0
module.preview.showHiddenPages = 0
override.preview.showHiddenRecords = 1
module.preview.showHiddenRecords = 1
override.preview.simulateUserGroup = 7
}it has the following effects:
- adminPanel is hidden > ok adminPanel preview is activated > ok hidden pages are shown > not ok! hidden records are shown > ok simulated user group: 7 > ok simulated timestamp: 1 -> not ok!
by fiddling with these values, we discovered the following:
- the module.preview.* settings are dead
- the override.preview.* settings are all ignored as long as we used "override.preview = 1"
we had no clue, what "override.preview = 1" was supposed to mean.
when we removed it, we saw the following:
- the preview was not working, any more
- the override.preview.* settings had no effect
it was time to look at the source:
we discovered the method tslib_AdminPanel::extGetFeAdminValue():
- it seems to supply most preview/feedit functions with the current values.
- it contains many hard-coded exceptions (mainly regarding the edit module)
- the override settings can only override if they have a value that evaluates to true! as a consequence, "override.preview.showHiddenPages = 0" will be ignored.
- "override.preview = 1" is interpreted as a default setting for all override.preview.* settings! that is the reason why our preview simulated a timestamp of "1".
- when "override.preview = 1" is not set in the TSconfig and the adminPanel is not shown and opened, the preview is not shown. why?
unfortunately, the edit module doesn't use this function:
tx_feedit_editpanel::editPanelLinkWrap_doWrap gets its values directly from the user submitted values of the adminPanel and is therefore not configurable by TSconfig.
part 2: conclusion
we identified the following bugs:
- "override.preview = 1" being required to activate the preview if the adminPanel is hidden. ()
- override. settings can only override if they evaluate to true (*)
- some admPanel modules getting their values by circumventing tslib_AdminPanel::extGetFeAdminValue(). this applies to the settings: override.edit.editFormsOnPage and override.edit.editNoPopup. they simply have no effect!
- back-end users were able to see content that they had no front-end or back-end access to, just by simulating a user group in the adminPanel or by supplying an url parameter like:
&TSFE_ADMIN_PANEL%5Bpreview_simulateUserGroup%5D=1,2,3,4,5,6,7
- ADMCMD_simUser only uses the first group id if a list is given. p.e. ADMCMD_simUser=1,2 ignores group 2!
we identified the following problems:
- admPanel TS documentation not being in sync with the actual code.
- two different flavors of preview. one by selecting the view action in the context menu of a page and the preview function of the Web > View module. the latter uses the ADMCMD_simUser and ADMCMD_simTime url parameters.
we have supplied a patch that addresses the above bugs marked by a star (*)
after applying the patch, we are able to use the following TSconfig:
admPanel {
// don't show adminPanel
hide = 1
// hide all adminPanel modules by default
enable.all= 0// activate preview module
enable.preview = 1// don't show hidden pages in nav menus
override.preview.showHiddenPages = 0// show hidden content elements
override.preview.showHiddenRecords = 1// simulate user group
override.preview.simulateUserGroup = 7
}the override.preview.* settings are now working as expected, as our preview now shows hidden records but no hidden pages.
(issue imported from #M15511)
Files
Updated by Michael Buergi about 14 years ago
I'm about the post this patch to the core mailing list. added a new patch file that uses a file path that is relative to the typo3 root folder.
Updated by Björn Pedersen about 14 years ago
This seems to be one possible solution to my bug: http://bugs.typo3.org/view.php?id=15418
Updated by Susanne Moog about 14 years ago
Just a note:
The "module" settings were AFAIK never meant to work with the "preview" functionality only - as documented - with the "edit" functions.
Updated by Christian Buelter over 11 years ago
- Target version deleted (
0)
Referring to http://docs.typo3.org/typo3cms/TSconfigReference/UserTsconfig/admPanel/Index.html the "override" options should also work with the "preview" section.
Also, my experience is that the override functions in the edit section do not work, eg I cannot disable the "forms on page" option with
admPanel.override.edit.editFormsOnPage = 0
I only can disable the whole edit section with
admPanel.enable.edit = 1
Tested on TYPO3 6.1.1
Updated by Mathias Schreiber almost 10 years ago
- Description updated (diff)
- Category deleted (
Communication) - Target version set to 7.2 (Frontend)
- Is Regression set to No
Updated by Benni Mack over 9 years ago
- Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Updated by Daniel Goerz over 9 years ago
Hi,
please check again if the issue still exists since we merged https://review.typo3.org/#/c/40922/.
Updated by Wouter Wolters over 9 years ago
- Status changed from New to Needs Feedback
Updated by Susanne Moog over 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Alexander Opitz almost 9 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this issue.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.