Project

General

Profile

Actions

Bug #60258

closed

showAccessRestrictedPages with shortcuts to restricted pages

Added by Gernot Ploiner over 10 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Frontend
Target version:
Start date:
2014-07-11
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
hard
Is Regression:
Yes
Sprint Focus:

Description

In menus with activated showAccessRestrictedPages setting, links to shortcut-pages, which link to another restricted page, are generated wrong.
The result looks like: <a >Pagetitle</a>. The href attribute is missing.
This bug appears since an update from TYPO3 4.5 to 6.2.

Example TypoScript:

10 = HMENU
10 {
    special = directory
    special.value = 1
    1 = TMENU
    1.NO = 1
    1.showAccessRestrictedPages = 4
}

Example pagetree:
  • [1] Home
    • [2] Restricted shortcut page to [3]
    • [3] Restricted page
    • [4] page with felogin

Files

Tree.png (13.8 KB) Tree.png Helmut Hummel, 2014-10-31 11:09

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #60382: Shortcut is displayed like a regular page if isn't a shortcut in the original languageRejected2014-07-18

Actions
Related to TYPO3 Core - Bug #65118: showAccessRestrictedPages with shortcuts to restricted pages #2Closed2015-02-17

Actions
Related to TYPO3 Core - Bug #96078: Shortcut Info-Message incorrect when page refers to frontend-restricted pageClosed2021-11-25

Actions
Related to TYPO3 Core - Bug #95815: page type "shortcut" does not work in rightrestricted structureClosed2021-10-29

Actions
Actions #1

Updated by Markus Klein over 10 years ago

Hi Gernot,

we have to test this in all versions down to 4.5 to see where this was broken.
I suspect this to having been broken already earlier than 6.2.
Once we now the version, we can do a git bisect to find the actual breaking commit.

Can you do that?

Actions #2

Updated by Gernot Ploiner over 10 years ago

Hi Markus,
we have tested it in TYPO3 4.5, 4.6, 4.7, 6.1, 6.2.
It only works in 4.5. So the Bug exists since 4.6.

Actions #3

Updated by Markus Klein over 10 years ago

  • Category set to Frontend
  • TYPO3 Version changed from 6.2 to 4.6
  • Is Regression changed from No to Yes

Thanks for testing this!
Huh, will be tough to find this out.

Actions #4

Updated by Helmut Hummel over 10 years ago

Markus Klein wrote:

Thanks for testing this!
Huh, will be tough to find this out.

I bet this happend with the change to redirect behavior of shortcuts

Actions #5

Updated by Gerrit Code Review about 10 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

Actions #6

Updated by Gerrit Code Review about 10 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33502

Actions #7

Updated by Markus Klein about 10 years ago

  • Complexity set to hard

It was a tough debugging night. I hope this fulfills your needs. ;-)

Actions #8

Updated by Helmut Hummel about 10 years ago

Helmut Hummel wrote:

I bet this happend with the change to redirect behavior of shortcuts

close enough ;)


5001d132ac45bb85ebce1062426f8d08c20d46e1 is the first bad commit
commit 5001d132ac45bb85ebce1062426f8d08c20d46e1
Author: Thorben Kapp <thorben@work.de>
Date:   Tue Jul 19 13:23:31 2011 +0200

    [FEATURE] Link Shortcut pages directly to target

    Menu items of type shortcut link to the target directly now,
    even without realurl.

    Change-Id: I444d9eddf4c98c9a8712627bbc5bd24a4c6aebc8
    Related: #17037
    Releases: 4.6
    Reviewed-on: http://review.typo3.org/3413
    Reviewed-by: Philipp Gampe
    Tested-by: Philipp Gampe
    Reviewed-by: Steffen Gebert
    Tested-by: Steffen Gebert

Actions #9

Updated by Gerrit Code Review about 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

Actions #10

Updated by Helmut Hummel about 10 years ago

Gerrit Code Review wrote:

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

@Gernot Krause: can you please check the new change set and vote accordingly (again)? Thanks!

Actions #11

Updated by Markus Klein about 10 years ago

Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.

Actions #12

Updated by Helmut Hummel about 10 years ago

Hey Markus

Markus Klein wrote:

Patch set 2 fails. The link "Restricted shortcut page to [3]" points to id 3, but should point to page 4.

Here is my tree:

  • [330] root
    • [331] shortcut (points to 332)
    • [332] restricted
    • [333] login (unrestricted)

Here is my TS:


page.1 = HMENU
page.1 {
    special = directory
    special.value = 330
    1 = TMENU
    1.NO = 1
    1.showAccessRestrictedPages = 333
    1.showAccessRestrictedPages.addParams = &return_url=###RETURN_URL###&pageId=###PAGE_ID###
}

Generated HTML (with my patch)

<a href="/index.php?id=333&amp;return_url=%2Findex.php%3Fid%3D332&amp;pageId=331">shortcut</a>
<a href="/index.php?id=333&amp;return_url=&amp;pageId=332">restricted</a>
<a href="/index.php?id=333">login</a>

Generated HTML (with your patch)

<a href="/index.php?id=333&amp;return_url=%2Findex.php%3Fid%3D332&amp;pageId=332">shortcut</a>
<a href="/index.php?id=333&amp;return_url=&amp;pageId=332">restricted</a>
<a href="/index.php?id=333">login</a>

I only spot one difference and that is that ###PAGE_ID### is replaced with the id of the actual page linked to in my patch while with your additional change it points to the resolved ID. I would argue that my result is the expected one.

The actual links (without the additional arguments) are exactly the same and point to the expected page.

So what is your setup and what are your expected results?

Actions #13

Updated by Markus Klein about 10 years ago

Hi!

I retested everything now and discovered strange things.
  1. I get different results with your patch than you do
  2. Both patches generate a wrong link for the restricted page in general: The redirect_url is empty
My page structure:
  • [1] root
    • [5] Normalpage
    • [55] LinkToNormalpage
    • [52] Login
    • [53] LinkToRestricted
    • [6] Restricted (restricted to any group)

TS is the same as yours with uid exchanged: 330 = 1, 333 = 52

Current master delivers:

<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a >LinkToRestricted</a>
<a href="index.php?id=52&amp;return_url=&amp;pageId=6">Restricted</a>

Your patch delivers:

<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=6">LinkToRestricted</a>
<a href="index.php?id=52&amp;return_url=&amp;pageId=6">Restricted</a>

My patch delivers:

<a href="index.php?id=5">Normalpage</a>
<a href="index.php?id=5">LinkToNormalPage</a>
<a href="index.php?id=52">Login</a>
<a href="index.php?id=52&amp;return_url=index.php%3Fid%3D6&amp;pageId=6">LinkToRestricted</a>
<a href="index.php?id=52&amp;return_url=&amp;pageId=6">Restricted</a>

Your patch does not generate the redirect feature at all.
The pageId parameter must be 6 in all cases, since the documentation says that it may be used to evaluate the required fe_groups restriction for that page. That does not work with your patch, because it points to the shortcut, which has no restrictions.

Actions #14

Updated by Markus Klein about 10 years ago

As it turned out, Helmut had also a restriction on the shortcut itself.

This raises the question: What is the expected outcome actually, if a shortcut is restricted to group1 and "restricted" is restricted to group2?

IMO the restriction on shortcuts has to be ignored completely. For menu and for FormEngine (hide the access fields for shortcuts).

Actions #15

Updated by Gerrit Code Review about 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

Actions #16

Updated by Gerrit Code Review about 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

Actions #17

Updated by Gerrit Code Review about 10 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33501

Actions #18

Updated by Gerrit Code Review about 10 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33726

Actions #19

Updated by Anonymous about 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #20

Updated by Gernot Ploiner about 10 years ago

Thank you Markus for your check yesterday in Linz.

There are some problems at the moment with the actual patch:
- As discovered yesterday by you, shortcuts to the first subpage don't work (A-Tag is empty again). Only if we change to a shortcut to a choosen page, it works fine.
- Yesterday we removed the access-restriction of the shortcut-page. So the restriction exists only on the target page. Now there is another problem: In the TypoScript HMENU the USR section is not working. So on the frontend the access-icon disappears. Conclusion: The Shortcut-page itself should also get restricted or the USR of the HMENU must be adapted.
- Behaviour change: Access-resticted pages with a shortcut to the first subpage (which is not restricted - evtl. a wrong setting from the editor?) are now clickable and without login visible. The editor can easy fix this, in activating the checkbox "extendToSubpages". But he was wondering about this today.

Actions #21

Updated by Markus Klein about 10 years ago

Hi Gernot!

Thanks for summing up our findings here.

ad 1: This has to be fixed => new ticket

ad 2 and 3: It does not make sense to define access restrictions on a shortcut. Whatever page is linked there a website visitor is always able to circumvent the restriction by accessing the linked page directly. So for 2.) I'd say the HMENU needs adaption to correctly reflect the state of the target page. 3.) is not "fixable" but a wrong approach to protect a page.

We have to rethink whether group access should be visible for shortcuts at all. Generally I'd say NO, but if you want to use the "extendToSubpages" feature, these fields need to be visible. All in all I would say that the editor need some minimal education on how this protection stuff works, especially that a restriction on a shortcut is totally useless.

Actions #22

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions #23

Updated by Gerrit Code Review almost 3 years ago

  • Status changed from Closed to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #24

Updated by Gerrit Code Review almost 3 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #25

Updated by Gerrit Code Review almost 3 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #26

Updated by Gerrit Code Review almost 3 years ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #27

Updated by Gerrit Code Review almost 3 years ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #28

Updated by Gerrit Code Review almost 3 years ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72796

Actions #29

Updated by Benni Mack almost 3 years ago

  • Related to Bug #96078: Shortcut Info-Message incorrect when page refers to frontend-restricted page added
Actions #30

Updated by Gerrit Code Review almost 3 years ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72785

Actions #31

Updated by Benni Mack almost 3 years ago

  • Status changed from Under Review to Resolved
Actions #32

Updated by Benni Mack almost 3 years ago

  • Related to Bug #95815: page type "shortcut" does not work in rightrestricted structure added
Actions #33

Updated by Benni Mack about 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF