Bug #72391
closed
SysAction for creating new BE-Users inserts empty records
0%
Description
Non-Admin-Users are not able to create new BE-Users anymore.
Since Typo3 6.2.16 the SysAction for creating new BE-Users inserts empty records in the DB. The fields for username, be_groups and db-mounts etc. are empty while cruser and crdate are filled.
Updated by Jan Bartels over 8 years ago
I've debugged the issue a bit: In file /typo3/sysext/sys_action/Classes/ActionTask.php, method saveNewBackendUser() the arrays $vars and $data seem to be correct right before inserting the new record via TCE. Even a valid new ID is returned by substNEW withIDs, but for non-admin-users no record is inserted into the DB.
Adding some more debug-outputs into /typo3/sysext/core/Classes/DataHandling/DataHandler.php, method insertDB() shows that almost all required fields for the record are missing in $fieldArray though they have been set in $incomingFieldArray before. This leads to the conclusion that the behavior of fillInFieldArray() has been changed by the last 2 versions of Typo3 6.2.
DataHandler::start(), which is called by ActionTask::saveNewBackendUser(), sets $this->exclude_array in respect to the calling BE-user. saveNewBackendUser() sets the $tce->admin-flag afterwards. This does not have an effect on $this->exclude_array anymore. If non-admin-BE-users don't have write-access to the be_users-table all record-fields of table be_users are ignored by the TCE-DataHandler.
A possible patch in ActionTask::saveNewBackendUser() could be the following:
// Save/update user by using TCEmain
if (is_array($data)) {
$tce = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
$tce->stripslashes_values = 0;
$tce->start($data, array(), $GLOBALS['BE_USER']);
$tce->admin = 1;
// *** Patch
$tce->exclude_array = array(); //new!!
// *** Patch
$tce->process_datamap();
$newUserId = (int)$tce->substNEWwithIDs['NEW'];
An alternative - and more general - approach would be to fix DataHandler::fillInFieldArray()
foreach ($incomingFieldArray as $field => $fieldValue) {
if (!in_array(($table . '-' . $field), $this->exclude_array) && !$this->data_disableFields[$table][$id][$field]
// *** Patch
|| $this->admin
// *** Patch
) {
As a workaround all exclude-fields of table be_users have to be allowed for any BE-user who is able to create new BE-users by a SysAction.
Updated by Jan Bartels over 8 years ago
Jigal van Hemert suggested in NG typo3.dev the following patch of saveNewBackendUser():
$tce = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
$myBeUser = $GLOBALS['BE_USER'];
$myBeUser->user['admin'] = 1;
$tce->stripslashes_values = 0;
$tce->start($data, array(), $myBeUser);
$tce->process_datamap();
The use of the (private) property $tce->admin is deprecated.
Updated by Riccardo De Contardi almost 8 years ago
- Status changed from New to Needs Feedback
I am not able to reproduce with 6.2.25 or the latest master (where moreover you can't select anymore the db mount). Can you confirm? Thank you!
Updated by Jan Bartels almost 8 years ago
The BE-users initiating the sysaction must not have any rights on the DB-table be_users.
Updated by Riccardo De Contardi almost 8 years ago
How do you remove these rights?
Please, could you try with 6.2.25?
Updated by Jan Bartels almost 8 years ago
I'll try it with the latest version, but it will take approx. 2 weeks until I can manage it.
Updated by Riccardo De Contardi almost 8 years ago
- Category set to Backend User Interface
- Target version deleted (
6.2.18)
Hi Jan. Any news? Thank you for your feedback!
Updated by Jan Bartels almost 8 years ago
Sorry, I forget to re-test this issue after my vacation.
No, I'm not able to reproduce this issue with 6.2.25 anymore. So we can close this issue. It seems that some unknown core-changes solved this issue in the meantime.
Updated by Jigal van Hemert almost 8 years ago
- Status changed from Needs Feedback to Closed
Closed as requested by the reporter.