Use $TYPO3_CONF_VARS['BE']['explicitADmode'] = 'explicitAllow' as default
I would like to suggest, to set the configuration setting
to explicitAllow as default instead of explicitDeny due to security policies.
If an extension is installed extending the list the access should not be granted per default but should be denied as default instead.
#3 Updated by Ernesto Baschny over 4 years ago
- Status changed from New to Accepted
Would be cool if we finally set this new default, as it usually makes more sense.
To be able to change this default there need to be an Upgrade Wizard which guides the users from the old-school default to the new one:
1) old environment already was with explicitAllow => no change required, all is fine
2) old environment was configured with explicitDeny (on purpose) => keep "explicitDeny" in the new LocalConfiguration and nothing else
3) old environment was configured with explicitDeny (because it was the default) => change to "explicitAllow" and convert the user permissions to the new schema accordingly
I think the challenge is to "detect" 2 or 3, or maybe provide the user the choice in the Upgrade Wizard (with the risk of the user not understanding what he is about to choose...).
#4 Updated by Markus Klein over 4 years ago
2) is impossible to detect, if done somewhere in AdditionalConfiguration.php
-> old environment has no config in LocalConf.php (hence now defaults to explicitAllow), but effective config says explictDeny => Things are modified somewhere else
3) is IMO not possible
#5 Updated by Markus Klein over 4 years ago
The scenarios we can encounter:
|LocalConfiguration value before upgrade||Effective Value after upgrade||Action to take|
|(no definition)||explicitAllow||Write explicitDeny to LocalConf|
|(no definition)||explicitDeny||Changed somewhere else, do nothing|
#6 Updated by Kay Strobach about 4 years ago
why not adding a question to the upgrade wizard and tell the user, that explicitDeny is not recommend and should be changed to explicitAllow, this way we can also tell the user, that the option will hopefully be deprecated and deleted lateron
There should be also a hint, that the integrator needs to upgrade the groups / permissions, if the setting is changed!