Bug #60258
closedshowAccessRestrictedPages with shortcuts to restricted pages
100%
Description
In menus with activated showAccessRestrictedPages setting, links to shortcut-pages, which link to another restricted page, are generated wrong.
The result looks like: <a >Pagetitle</a>. The href attribute is missing.
This bug appears since an update from TYPO3 4.5 to 6.2.
Example TypoScript:
10 = HMENU 10 { special = directory special.value = 1 1 = TMENU 1.NO = 1 1.showAccessRestrictedPages = 4 }Example pagetree:
- [1] Home
- [2] Restricted shortcut page to [3]
- [3] Restricted page
- [4] page with felogin
Files
Updated by Markus Klein over 10 years ago
Hi Gernot,
we have to test this in all versions down to 4.5 to see where this was broken.
I suspect this to having been broken already earlier than 6.2.
Once we now the version, we can do a git bisect to find the actual breaking commit.
Can you do that?
Updated by Gernot Ploiner over 10 years ago
Hi Markus,
we have tested it in TYPO3 4.5, 4.6, 4.7, 6.1, 6.2.
It only works in 4.5. So the Bug exists since 4.6.
Updated by Markus Klein over 10 years ago
- Category set to Frontend
- TYPO3 Version changed from 6.2 to 4.6
- Is Regression changed from No to Yes
Thanks for testing this!
Huh, will be tough to find this out.
Updated by Helmut Hummel over 10 years ago
Markus Klein wrote:
Thanks for testing this!
Huh, will be tough to find this out.
I bet this happend with the change to redirect behavior of shortcuts
Updated by Gerrit Code Review about 10 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review about 10 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33502
Updated by Markus Klein about 10 years ago
- Complexity set to hard
It was a tough debugging night. I hope this fulfills your needs. ;-)
Updated by Helmut Hummel about 10 years ago
Helmut Hummel wrote:
I bet this happend with the change to redirect behavior of shortcuts
close enough ;)
5001d132ac45bb85ebce1062426f8d08c20d46e1 is the first bad commit commit 5001d132ac45bb85ebce1062426f8d08c20d46e1 Author: Thorben Kapp <thorben@work.de> Date: Tue Jul 19 13:23:31 2011 +0200 [FEATURE] Link Shortcut pages directly to target Menu items of type shortcut link to the target directly now, even without realurl. Change-Id: I444d9eddf4c98c9a8712627bbc5bd24a4c6aebc8 Related: #17037 Releases: 4.6 Reviewed-on: http://review.typo3.org/3413 Reviewed-by: Philipp Gampe Tested-by: Philipp Gampe Reviewed-by: Steffen Gebert Tested-by: Steffen Gebert
Updated by Gerrit Code Review about 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Helmut Hummel about 10 years ago
Gerrit Code Review wrote:
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
@Gernot Krause: can you please check the new change set and vote accordingly (again)? Thanks!
Updated by Markus Klein about 10 years ago
Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.
Updated by Helmut Hummel about 10 years ago
Hey Markus
Markus Klein wrote:
Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.
Here is my tree:
- [330] root
- [331] shortcut (points to 332)
- [332] restricted
- [333] login (unrestricted)
Here is my TS:
page.1 = HMENU page.1 { special = directory special.value = 330 1 = TMENU 1.NO = 1 1.showAccessRestrictedPages = 333 1.showAccessRestrictedPages.addParams = &return_url=###RETURN_URL###&pageId=###PAGE_ID### }
Generated HTML (with my patch)
<a href="/index.php?id=333&return_url=%2Findex.php%3Fid%3D332&pageId=331">shortcut</a> <a href="/index.php?id=333&return_url=&pageId=332">restricted</a> <a href="/index.php?id=333">login</a>
Generated HTML (with your patch)
<a href="/index.php?id=333&return_url=%2Findex.php%3Fid%3D332&pageId=332">shortcut</a> <a href="/index.php?id=333&return_url=&pageId=332">restricted</a> <a href="/index.php?id=333">login</a>
I only spot one difference and that is that ###PAGE_ID### is replaced with the id of the actual page linked to in my patch while with your additional change it points to the resolved ID. I would argue that my result is the expected one.
The actual links (without the additional arguments) are exactly the same and point to the expected page.
So what is your setup and what are your expected results?
Updated by Markus Klein about 10 years ago
Hi!
I retested everything now and discovered strange things.- I get different results with your patch than you do
- Both patches generate a wrong link for the restricted page in general: The redirect_url is empty
- [1] root
- [5] Normalpage
- [55] LinkToNormalpage
- [52] Login
- [53] LinkToRestricted
- [6] Restricted (restricted to any group)
TS is the same as yours with uid exchanged: 330 = 1, 333 = 52
Current master delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a >LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
Your patch delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=6">LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
My patch delivers:
<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=52&return_url=index.php%3Fid%3D6&pageId=6">LinkToRestricted</a>
<a href="index.php?id=52&return_url=&pageId=6">Restricted</a>
Your patch does not generate the redirect feature at all.
The pageId parameter must be 6 in all cases, since the documentation says that it may be used to evaluate the required fe_groups restriction for that page. That does not work with your patch, because it points to the shortcut, which has no restrictions.
Updated by Markus Klein about 10 years ago
As it turned out, Helmut had also a restriction on the shortcut itself.
This raises the question: What is the expected outcome actually, if a shortcut is restricted to group1 and "restricted" is restricted to group2?
IMO the restriction on shortcuts has to be ignored completely. For menu and for FormEngine (hide the access fields for shortcuts).
Updated by Gerrit Code Review about 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review about 10 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review about 10 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501
Updated by Gerrit Code Review about 10 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33726
Updated by Anonymous about 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1fc8ffbf9994f8bf1f797625ce10ea3daa3c6917.
Updated by Gernot Ploiner about 10 years ago
Thank you Markus for your check yesterday in Linz.
There are some problems at the moment with the actual patch:
- As discovered yesterday by you, shortcuts to the first subpage don't work (A-Tag is empty again). Only if we change to a shortcut to a choosen page, it works fine.
- Yesterday we removed the access-restriction of the shortcut-page. So the restriction exists only on the target page. Now there is another problem: In the TypoScript HMENU the USR section is not working. So on the frontend the access-icon disappears. Conclusion: The Shortcut-page itself should also get restricted or the USR of the HMENU must be adapted.
- Behaviour change: Access-resticted pages with a shortcut to the first subpage (which is not restricted - evtl. a wrong setting from the editor?) are now clickable and without login visible. The editor can easy fix this, in activating the checkbox "extendToSubpages". But he was wondering about this today.
Updated by Markus Klein about 10 years ago
Hi Gernot!
Thanks for summing up our findings here.
ad 1: This has to be fixed => new ticket
ad 2 and 3: It does not make sense to define access restrictions on a shortcut. Whatever page is linked there a website visitor is always able to circumvent the restriction by accessing the linked page directly. So for 2.) I'd say the HMENU needs adaption to correctly reflect the state of the target page. 3.) is not "fixable" but a wrong approach to protect a page.
We have to rethink whether group access should be visible for shortcuts at all. Generally I'd say NO, but if you want to use the "extendToSubpages" feature, these fields need to be visible. All in all I would say that the editor need some minimal education on how this protection stuff works, especially that a restriction on a shortcut is totally useless.
Updated by Gerrit Code Review almost 3 years ago
- Status changed from Closed to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review almost 3 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review almost 3 years ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review almost 3 years ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review almost 3 years ago
Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Gerrit Code Review almost 3 years ago
Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796
Updated by Benni Mack almost 3 years ago
- Related to Bug #96078: Shortcut Info-Message incorrect when page refers to frontend-restricted page added
Updated by Gerrit Code Review almost 3 years ago
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72785
Updated by Benni Mack almost 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset 82d33fc20b359cec5661442691c61a5553cd8b30.
Updated by Benni Mack almost 3 years ago
- Related to Bug #95815: page type "shortcut" does not work in rightrestricted structure added