Epic #81948

Introduce system maintainers

Added by Oliver Hader almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Install Tool
Target version:
Start date:
2017-07-24
Due date:
% Done:

0%

Sprint Focus:

Description

The bigger picture of this epic has been described in more detail on https://decisions.typo3.org/t/typo3-system-management-the-big-picture/252

TL;DR: Separate current install tool into "system recovery" and "system management", replace current install tool password by system maintainers (backend users with extended permissions)

Existing backend users can be assigned with the role (just the meaning, generic roles are not implemented in this epic) of being a "system maintainer". Backend users (and system maintainers) can be created and assigned in a separate "system recovery" module (which is also not part of this epic). In the long run, the install tool password will vanish and be replaced with the new "system maintainer" role - for the time in between, until "system recovery" is ready, both authentication mechanisms are supported (install tool password and system maintainer username/password). Defining security aspects like saltedpasswords, rsaauth, openid, ... is also target of system recovery - thus, system maintenance can rely on these settings being defined and are working.

System maintainers are assigned by a static list of usernames or uids in a new TYPO3_CONF_VARS property. Using a new property like e.g. be_users.is_maintainer would have to be kept in sync with external authentication data-providers (like LDAP) and also would be the first target of possible security vulnerabilities concerning SQL injection. Besides that, using usernames in that list eases deployment on different environment, where the uid values might be different, but usernames are the same.

History

#1 Updated by Georg Ringer almost 3 years ago

Using usernames instead of uid would mean that any admin used cab change the username of a system admin to something else and then his own username into the one of an system admin.

#2 Updated by Oliver Hader almost 3 years ago

  • Description updated (diff)

#3 Updated by Benni Mack over 2 years ago

  • Status changed from New to Closed

Also available in: Atom PDF