t3lib_BEfunc::blindUserNames might use wrong group list collection
The mentioned method used to blind usernames that are not in a set of defined groups uses a wrong group collection.
The check is performed on the be_users field "usergroup_cached_list", this is fine for the current logged in user, however for any other user this might lead to wrong results. The reason is, that "usergroup_cached_list" is written when a user is logged in (see t3lib_userAuthGroup::fetchGroupData()).
Thus, if the groups of a user have been modified, the "usergroup_cached_list" will stay unmodified until the next login of the accordant user.
#2 Updated by Alexander Opitz almost 5 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this issue.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.