TYPO3 Core

I've debugged the issue a bit: In file /typo3/sysext/sys_action/Classes/ActionTask.php, method saveNewBackendUser() the arrays $vars and $data seem to be correct right before inserting the new record via TCE. Even a valid new ID is returned by substNEW withIDs, but for non-admin-users no record is inserted into the DB.

Adding some more debug-outputs into /typo3/sysext/core/Classes/DataHandling/DataHandler.php, method insertDB() shows that almost all required fields for the record are missing in $fieldArray though they have been set in $incomingFieldArray before. This leads to the conclusion that the behavior of fillInFieldArray() has been changed by the last 2 versions of Typo3 6.2.

DataHandler::start(), which is called by ActionTask::saveNewBackendUser(), sets $this->exclude_array in respect to the calling BE-user. saveNewBackendUser() sets the $tce->admin-flag afterwards. This does not have an effect on $this->exclude_array anymore. If non-admin-BE-users don't have write-access to the be_users-table all record-fields of table be_users are ignored by the TCE-DataHandler.

A possible patch in ActionTask::saveNewBackendUser() could be the following:

        // Save/update user by using TCEmain
        if (is_array($data)) {
            $tce = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
            $tce->stripslashes_values = 0;
            $tce->start($data, array(), $GLOBALS['BE_USER']);
            $tce->admin = 1;
            // *** Patch
            $tce->exclude_array = array(); //new!!
            // *** Patch
            $tce->process_datamap();
            $newUserId = (int)$tce->substNEWwithIDs['NEW'];

An alternative - and more general - approach would be to fix DataHandler::fillInFieldArray()

        foreach ($incomingFieldArray as $field => $fieldValue) {
            if (!in_array(($table . '-' . $field), $this->exclude_array) && !$this->data_disableFields[$table][$id][$field]
               // *** Patch
               || $this->admin
               // *** Patch
               ) {

As a workaround all exclude-fields of table be_users have to be allowed for any BE-user who is able to create new BE-users by a SysAction.

Jigal van Hemert suggested in NG typo3.dev the following patch of saveNewBackendUser():

$tce = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
$myBeUser =  $GLOBALS['BE_USER'];
$myBeUser->user['admin'] = 1;
$tce->stripslashes_values = 0;
$tce->start($data, array(), $myBeUser);
$tce->process_datamap();

The use of the (private) property $tce->admin is deprecated.

The BE-users initiating the sysaction must not have any rights on the DB-table be_users.

How do you remove these rights?

Please, could you try with 6.2.25?

I'll try it with the latest version, but it will take approx. 2 weeks until I can manage it.

Sorry, I forget to re-test this issue after my vacation.

No, I'm not able to reproduce this issue with 6.2.25 anymore. So we can close this issue. It seems that some unknown core-changes solved this issue in the meantime.