Project

General

Profile

Actions

Task #25830

closed

Use $TYPO3_CONF_VARS['BE']['explicitADmode'] = 'explicitAllow' as default

Added by Patrick Rodacker over 13 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
Start date:
2011-04-07
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

I would like to suggest, to set the configuration setting

$TYPO3_CONF_VARS['BE']['explicitADmode']

to explicitAllow as default instead of explicitDeny due to security policies.

If an extension is installed extending the list the access should not be granted per default but should be denied as default instead.


Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Task #52478: [!!!] Change explicitADmode to explicitAllow by defaultRejected2013-10-02

Actions
Actions #1

Updated by Xavier Perseguers about 11 years ago

  • Tracker changed from Suggestion to Task
  • Project changed from 1687 to TYPO3 Core
  • Priority changed from Should have to Must have
Actions #2

Updated by Xavier Perseguers about 11 years ago

  • Target version set to 6.2.0
  • TYPO3 Version set to 6.2
Actions #3

Updated by Ernesto Baschny about 11 years ago

  • Status changed from New to Accepted

Would be cool if we finally set this new default, as it usually makes more sense.

To be able to change this default there need to be an Upgrade Wizard which guides the users from the old-school default to the new one:

1) old environment already was with explicitAllow => no change required, all is fine

2) old environment was configured with explicitDeny (on purpose) => keep "explicitDeny" in the new LocalConfiguration and nothing else

3) old environment was configured with explicitDeny (because it was the default) => change to "explicitAllow" and convert the user permissions to the new schema accordingly

I think the challenge is to "detect" 2 or 3, or maybe provide the user the choice in the Upgrade Wizard (with the risk of the user not understanding what he is about to choose...).

Actions #4

Updated by Markus Klein about 11 years ago

2) is impossible to detect, if done somewhere in AdditionalConfiguration.php
-> old environment has no config in LocalConf.php (hence now defaults to explicitAllow), but effective config says explictDeny => Things are modified somewhere else

3) is IMO not possible

Actions #5

Updated by Markus Klein about 11 years ago

The scenarios we can encounter:

LocalConfiguration value before upgrade Effective Value after upgrade Action to take
explicitAllow * do nothing
explicitDeny * do nothing
(no definition) explicitAllow Write explicitDeny to LocalConf
(no definition) explicitDeny Changed somewhere else, do nothing
Actions #6

Updated by Kay Strobach over 10 years ago

why not adding a question to the upgrade wizard and tell the user, that explicitDeny is not recommend and should be changed to explicitAllow, this way we can also tell the user, that the option will hopefully be deprecated and deleted lateron
There should be also a hint, that the integrator needs to upgrade the groups / permissions, if the setting is changed!

Actions #7

Updated by Kay Strobach over 10 years ago

imho it would be enough to define a new default and explizitly set the value of existing installations to whatever it is
This way it should be an easy patch ...

Actions #8

Updated by Markus Klein over 10 years ago

  • Status changed from Accepted to Needs Feedback

For new installations explicitAllow is the default now on 6.2!
(FactoryDefault)

Actions #9

Updated by Kay Strobach over 10 years ago

so it could be seen as fixed? right?

Actions #10

Updated by Markus Klein over 10 years ago

  • Status changed from Needs Feedback to Closed

IMO yes.

Closed as this has been fixed with the rewrite of the Install Tool.

Actions

Also available in: Atom PDF