Project

General

Profile

Actions

Bug #24922

closed

Problem with CSRF Protection: Changing access permissions on a sys folder to include a user group

Added by Chris Bischoff about 13 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-02-01
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Changing access permissions on a sys folder to include a user group throws this error:

"Validating the security token of this form has failed. Please reload the form and submit it again."

Deleting caches and temp files has no effect.

This issue appeared after upgrading from 4.4.6 to 4.5.0.
(issue imported from #M17437)


Files

token_validation_issue.jpg (152 KB) token_validation_issue.jpg Administrator Admin, 2011-02-02 14:13
be_acl-4-5-formProtection.diff (810 Bytes) be_acl-4-5-formProtection.diff Administrator Admin, 2011-02-02 19:21

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #24671: Protect C(R)UD actions against CSRFClosedErnesto Baschny2011-01-20

Actions
Actions #1

Updated by Ernesto Baschny about 13 years ago

I could not reproduce that, Chris. I tried using the Web>Access module and then either the "User overview" page and also the "Permissions" page, and different methods of changing the group permission, and all of them worked.

Could you be more specific or maybe add a screenshot or two? Thanks!

Actions #2

Updated by Chris Bischoff about 13 years ago

I've included a screenshot of the backend which illustrates the issue. It happens when I try to add a group to the access permission of the Direct Mail system folder. Could it be related to the Direct Mail extension? I don't know.

Thank you so much for your help.

Actions #3

Updated by Ernesto Baschny about 13 years ago

This seems to come from some extension which enhances the default permission system of TYPO3 by allowing multiple groups per page. This is not standard core behaviour (where you can only assign one group to each page).

Could you please check if you have an extension that does this installed so that we could get in touch with the author to work on a compatible 4.5 variant for it? Thanks!

Actions #4

Updated by Chris Bischoff about 13 years ago

I believe it would be "Backend ACL" (be_acl). They just released a new version (1.4.1), but the issue still exists.

Sorry that this is not actually a T3 Core issue. I really appreciate your help.

Actions #5

Updated by Ernesto Baschny about 13 years ago

Since be_acl is well known and used a lot around, I'll get in touch with Sebastian (its author) to see if we can have the form protection feature integrated. Attached to this issue is something that "might work", which adds the security token to the pertinent FORM on the XCLASSed file. Try to apply that patch to the be_acl/res/class.ux_sc_mod_web_perm_index.php file.

Thanks for your feedback and I'll close this issue for now, as its not a core bug.

Actions #6

Updated by Gerrit Code Review over 12 years ago

  • Status changed from Closed to Under Review

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/5383

Actions #7

Updated by Alexander Opitz almost 11 years ago

  • Status changed from Under Review to Closed
  • Target version deleted (0)

Opened by a gerrit code review, with false issue number. So closing this issue again.

Actions

Also available in: Atom PDF