Project

General

Profile

Actions

Bug #87536

closed

Epic #90674: Backend UI not reflecting permissions

Editors cannot enable backend users created with sys_action "Create Backend User"

Added by Christian Buelter over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2019-01-24
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
sys_action
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Editors can create a backend user using the "sys_action" package and the action "Create Backend User".
But the newly created backend users are always disabled and cannot be enabled (see Screenshot).

This bug exists since TYPO3 9.5.4, in 9.5.3 it was possible for editors to enable backend users using this action.

This restriction does not apply to admin users.

Workaround:

Set the field "disable" in be_users to a non-exclude field by using this TCA Override:

$GLOBALS['TCA']['be_users']['columns']['disable']['exclude'] = 0;

BTW: Is there a value in setting exclude fields for the be_users table? This table is not shown in the "Access Lists" tab when a backend group is defined, so I think there's no reason to define exclude fields for this table. Maybe I'm missing something?


Files


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #89779: Editors cannot enable beuser created with taskcenterClosed2019-11-26

Actions
Actions #1

Updated by Oliver Hader over 5 years ago

This is a result of https://typo3.org/security/advisory/typo3-core-sa-2019-002/ - I'd have to check sys_action in more detail in order to (maybe) find a solution here.

Actions #2

Updated by Oliver Hader over 5 years ago

  • TYPO3 Version changed from 9 to 8
  • Is Regression set to Yes
Actions #3

Updated by Oliver Hader over 5 years ago

  • Status changed from New to Accepted

Backend user records are created disabled by default since TYPO3 v9.5.4 and v8.7.23 - find details in following links

Thus sys_action handling should be adjusted to fit with the mentioned change.

Actions #4

Updated by Oliver Hader over 5 years ago

  • Related to Task #87886: Switch styles.content.get in TS created in Install Tool added
Actions #5

Updated by Oliver Hader over 5 years ago

  • Related to deleted (Task #87886: Switch styles.content.get in TS created in Install Tool)
Actions #7

Updated by Chris W over 4 years ago

In my TYPO3 9.5.13 editors can't create activated be-users as well. Only admins can create enabled be-users by sys_action.

Actions #8

Updated by Riccardo De Contardi over 4 years ago

  • Related to Bug #89779: Editors cannot enable beuser created with taskcenter added
Actions #9

Updated by Riccardo De Contardi over 4 years ago

I add here the description of the issue #89779 to keep track of it

If an editor creates a new backend user with the taskcenter the new user is created "hidden". Thus rendering the new backend user useless. Editing the new be_user in the taskcenter doesn't help. The hidden flag is always set anew on saving.
Since editing rights for be_user datasets cannot be made available to editors, there is no other way than to ask an administrator/integrator to activate newly created be_users.

Currently, we are running on TYPO3 9.5.11.
Our task setup was established in TYPO3 6.2 and worked reliable with 7.6 and 8.7, too. New beusers are created disabled since we updated to TYPO3 9.5 a while back.

Did we miss any changes in the creation of backend users through the taskcenter or is it a bug? Atm it looks like the DataHandler does not accept certain actions if they are triggered by a non-admin. If creating/editing be_users in the taskcenter as an admin everything works as expected.

Steps to reproduce:
  1. create a be_group, grant its members rights top use the taskcenter and assign any editor.
  2. create a task to create be_users and assign it to the be_group.
  3. change into the editors account and create a new enabled be_user.
Actions #10

Updated by Riccardo De Contardi over 4 years ago

  • Parent task set to #90674
Actions #11

Updated by Susanne Moog about 4 years ago

  • Status changed from Accepted to Closed

The extension sys_action has moved to https://github.com/FriendsOfTYPO3/sys_action - if this issue is still relevant, please report it there.

Actions

Also available in: Atom PDF