Bug #60258
closed
showAccessRestrictedPages with shortcuts to restricted pages
100%
Description
In menus with activated showAccessRestrictedPages setting, links to shortcut-pages, which link to another restricted page, are generated wrong.
The result looks like: <a >Pagetitle</a>. The href attribute is missing.
This bug appears since an update from TYPO3 4.5 to 6.2.
Example TypoScript:
10 = HMENU
10 {
special = directory
special.value = 1
1 = TMENU
1.NO = 1
1.showAccessRestrictedPages = 4
}
Example pagetree:
- [1] Home
- [2] Restricted shortcut page to [3]
- [3] Restricted page
- [4] page with felogin
Files
Updated by Markus Klein almost 10 years ago
Hi Gernot,
we have to test this in all versions down to 4.5 to see where this was broken.
I suspect this to having been broken already earlier than 6.2.
Once we now the version, we can do a git bisect to find the actual breaking commit.
Can you do that?
Updated by Gernot Ploiner almost 10 years ago
Hi Markus,
we have tested it in TYPO3 4.5, 4.6, 4.7, 6.1, 6.2.
It only works in 4.5. So the Bug exists since 4.6.
Updated by Markus Klein almost 10 years ago
- Category set to Frontend
- TYPO3 Version changed from 6.2 to 4.6
- Is Regression changed from No to Yes
Thanks for testing this!
Huh, will be tough to find this out.
Updated by Helmut Hummel over 9 years ago
Markus Klein wrote:
Thanks for testing this!
Huh, will be tough to find this out.
I bet this happend with the change to redirect behavior of shortcuts
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review over 9 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33502
Updated by Markus Klein over 9 years ago
- Complexity set to hard
It was a tough debugging night. I hope this fulfills your needs. ;-)
Updated by Helmut Hummel over 9 years ago
Helmut Hummel wrote:
I bet this happend with the change to redirect behavior of shortcuts
close enough ;)
5001d132ac45bb85ebce1062426f8d08c20d46e1 is the first bad commit
commit 5001d132ac45bb85ebce1062426f8d08c20d46e1
Author: Thorben Kapp <thorben@work.de>
Date: Tue Jul 19 13:23:31 2011 +0200
[FEATURE] Link Shortcut pages directly to target
Menu items of type shortcut link to the target directly now,
even without realurl.
Change-Id: I444d9eddf4c98c9a8712627bbc5bd24a4c6aebc8
Related: #17037
Releases: 4.6
Reviewed-on: http://review.typo3.org/3413
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Steffen Gebert
Tested-by: Steffen Gebert
Updated by Gerrit Code Review over 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Helmut Hummel over 9 years ago
Gerrit Code Review wrote:
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
@Gernot Krause: can you please check the new change set and vote accordingly (again)? Thanks!
Updated by Markus Klein over 9 years ago
Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.
Updated by Helmut Hummel over 9 years ago
Hey Markus
Markus Klein wrote:
Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.
Here is my tree:
- [330] root
- [331] shortcut (points to 332)
- [332] restricted
- [333] login (unrestricted)
Here is my TS:
page.1 = HMENU
page.1 {
special = directory
special.value = 330
1 = TMENU
1.NO = 1
1.showAccessRestrictedPages = 333
1.showAccessRestrictedPages.addParams = &return_url=###RETURN_URL###&pageId=###PAGE_ID###
}
Generated HTML (with my patch)
<a href="/index.php?id=333&return_url=%2Findex.php%3Fid%3D332&pageId=331">shortcut</a> <a href="/index.php?id=333&return_url=&pageId=332">restricted</a> <a href="/index.php?id=333">login</a>
Generated HTML (with your patch)
<a href="/index.php?id=333&return_url=%2Findex.php%3Fid%3D332&pageId=332">shortcut</a> <a href="/index.php?id=333&return_url=&pageId=332">restricted</a> <a href="/index.php?id=333">login</a>
I only spot one difference and that is that ###PAGE_ID### is replaced with the id of the actual page linked to in my patch while with your additional change it points to the resolved ID. I would argue that my result is the expected one.
The actual links (without the additional arguments) are exactly the same and point to the expected page.
So what is your setup and what are your expected results?
Updated by Markus Klein over 9 years ago
Hi!
I retested everything now and discovered strange things.- I get different results with your patch than you do
- Both patches generate a wrong link for the restricted page in general: The redirect_url is empty
- [1] root
- [5] Normalpage
- [55] LinkToNormalpage
- [52] Login
- [53] LinkToRestricted
- [6] Restricted (restricted to any group)
TS is the same as yours with uid exchanged: 330 = 1, 333 = 52
Current master delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a >LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
Your patch delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=6">LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
My patch delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=52&return_url=index.php%3Fid%3D6&pageId=6">LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
Your patch does not generate the redirect feature at all.
The pageId parameter must be 6 in all cases, since the documentation says that it may be used to evaluate the required fe_groups restriction for that page. That does not work with your patch, because it points to the shortcut, which has no restrictions.
Updated by Markus Klein over 9 years ago
As it turned out, Helmut had also a restriction on the shortcut itself.
This raises the question: What is the expected outcome actually, if a shortcut is restricted to group1 and "restricted" is restricted to group2?
IMO the restriction on shortcuts has to be ignored completely. For menu and for FormEngine (hide the access fields for shortcuts).
Updated by Gerrit Code Review over 9 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review over 9 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review over 9 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review over 9 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33726
Updated by Anonymous over 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1fc8ffbf9994f8bf1f797625ce10ea3daa3c6917.
Updated by Gernot Ploiner over 9 years ago
Thank you Markus for your check yesterday in Linz.
There are some problems at the moment with the actual patch:
- As discovered yesterday by you, shortcuts to the first subpage don't work (A-Tag is empty again). Only if we change to a shortcut to a choosen page, it works fine.
- Yesterday we removed the access-restriction of the shortcut-page. So the restriction exists only on the target page. Now there is another problem: In the TypoScript HMENU the USR section is not working. So on the frontend the access-icon disappears. Conclusion: The Shortcut-page itself should also get restricted or the USR of the HMENU must be adapted.
- Behaviour change: Access-resticted pages with a shortcut to the first subpage (which is not restricted - evtl. a wrong setting from the editor?) are now clickable and without login visible. The editor can easy fix this, in activating the checkbox "extendToSubpages". But he was wondering about this today.
Updated by Markus Klein over 9 years ago
Hi Gernot!
Thanks for summing up our findings here.
ad 1: This has to be fixed => new ticket
ad 2 and 3: It does not make sense to define access restrictions on a shortcut. Whatever page is linked there a website visitor is always able to circumvent the restriction by accessing the linked page directly. So for 2.) I'd say the HMENU needs adaption to correctly reflect the state of the target page. 3.) is not "fixable" but a wrong approach to protect a page.
We have to rethink whether group access should be visible for shortcuts at all. Generally I'd say NO, but if you want to use the "extendToSubpages" feature, these fields need to be visible. All in all I would say that the editor need some minimal education on how this protection stuff works, especially that a restriction on a shortcut is totally useless.
Updated by Gerrit Code Review over 2 years ago
- Status changed from Closed to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review over 2 years ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review over 2 years ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review over 2 years ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review over 2 years ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Benni Mack over 2 years ago
- Related to Bug #96078: Shortcut Info-Message incorrect when page refers to frontend-restricted page added
Updated by Gerrit Code Review over 2 years ago
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72785
Updated by Benni Mack over 2 years ago
- Status changed from Under Review to Resolved
Applied in changeset 82d33fc20b359cec5661442691c61a5553cd8b30.
Updated by Benni Mack over 2 years ago
- Related to Bug #95815: page type "shortcut" does not work in rightrestricted structure added