Task #25830

Use $TYPO3_CONF_VARS['BE']['explicitADmode'] = 'explicitAllow' as default

Added by Patrick Rodacker almost 9 years ago. Updated over 5 years ago.

Must have
Target version:
Start date:
Due date:
% Done:


TYPO3 Version:
PHP Version:
Sprint Focus:


I would like to suggest, to set the configuration setting


to explicitAllow as default instead of explicitDeny due to security policies.

If an extension is installed extending the list the access should not be granted per default but should be denied as default instead.

Related issues

Duplicated by TYPO3 Core - Task #52478: [!!!] Change explicitADmode to explicitAllow by default Rejected 2013-10-02


#1 Updated by Xavier Perseguers over 6 years ago

  • Tracker changed from Suggestion to Task
  • Project changed from Install Tool Improvements 4.6 to TYPO3 Core
  • Priority changed from Should have to Must have

#2 Updated by Xavier Perseguers over 6 years ago

  • Target version set to 6.2.0
  • TYPO3 Version set to 6.2

#3 Updated by Ernesto Baschny over 6 years ago

  • Status changed from New to Accepted

Would be cool if we finally set this new default, as it usually makes more sense.

To be able to change this default there need to be an Upgrade Wizard which guides the users from the old-school default to the new one:

1) old environment already was with explicitAllow => no change required, all is fine

2) old environment was configured with explicitDeny (on purpose) => keep "explicitDeny" in the new LocalConfiguration and nothing else

3) old environment was configured with explicitDeny (because it was the default) => change to "explicitAllow" and convert the user permissions to the new schema accordingly

I think the challenge is to "detect" 2 or 3, or maybe provide the user the choice in the Upgrade Wizard (with the risk of the user not understanding what he is about to choose...).

#4 Updated by Markus Klein over 6 years ago

2) is impossible to detect, if done somewhere in AdditionalConfiguration.php
-> old environment has no config in LocalConf.php (hence now defaults to explicitAllow), but effective config says explictDeny => Things are modified somewhere else

3) is IMO not possible

#5 Updated by Markus Klein over 6 years ago

The scenarios we can encounter:

LocalConfiguration value before upgrade Effective Value after upgrade Action to take
explicitAllow * do nothing
explicitDeny * do nothing
(no definition) explicitAllow Write explicitDeny to LocalConf
(no definition) explicitDeny Changed somewhere else, do nothing

#6 Updated by Kay Strobach almost 6 years ago

why not adding a question to the upgrade wizard and tell the user, that explicitDeny is not recommend and should be changed to explicitAllow, this way we can also tell the user, that the option will hopefully be deprecated and deleted lateron
There should be also a hint, that the integrator needs to upgrade the groups / permissions, if the setting is changed!

#7 Updated by Kay Strobach over 5 years ago

imho it would be enough to define a new default and explizitly set the value of existing installations to whatever it is
This way it should be an easy patch ...

#8 Updated by Markus Klein over 5 years ago

  • Status changed from Accepted to Needs Feedback

For new installations explicitAllow is the default now on 6.2!

#9 Updated by Kay Strobach over 5 years ago

so it could be seen as fixed? right?

#10 Updated by Markus Klein over 5 years ago

  • Status changed from Needs Feedback to Closed

IMO yes.

Closed as this has been fixed with the rewrite of the Install Tool.

Also available in: Atom PDF