Bug #87536
closed
Epic #90674: Backend UI not reflecting permissions
Editors cannot enable backend users created with sys_action "Create Backend User"
0%
Description
Editors can create a backend user using the "sys_action" package and the action "Create Backend User".
But the newly created backend users are always disabled and cannot be enabled (see Screenshot).
This bug exists since TYPO3 9.5.4, in 9.5.3 it was possible for editors to enable backend users using this action.
This restriction does not apply to admin users.
Workaround:
Set the field "disable" in be_users to a non-exclude field by using this TCA Override:
$GLOBALS['TCA']['be_users']['columns']['disable']['exclude'] = 0;
BTW: Is there a value in setting exclude fields for the be_users table? This table is not shown in the "Access Lists" tab when a backend group is defined, so I think there's no reason to define exclude fields for this table. Maybe I'm missing something?
Files
Updated by Oliver Hader almost 6 years ago
This is a result of https://typo3.org/security/advisory/typo3-core-sa-2019-002/ - I'd have to check sys_action in more detail in order to (maybe) find a solution here.
Updated by Oliver Hader almost 6 years ago
- TYPO3 Version changed from 9 to 8
- Is Regression set to Yes
Updated by Oliver Hader over 5 years ago
- Status changed from New to Accepted
Backend user records are created disabled by default since TYPO3 v9.5.4 and v8.7.23 - find details in following links
- https://review.typo3.org/c/Packages/TYPO3.CMS/+/59528/2/typo3/sysext/core/Configuration/TCA/be_users.php
- https://typo3.org/security/advisory/typo3-core-sa-2019-002/
Thus sys_action handling should be adjusted to fit with the mentioned change.
Updated by Oliver Hader over 5 years ago
- Related to Task #87886: Switch styles.content.get in TS created in Install Tool added
Updated by Oliver Hader over 5 years ago
- Related to deleted (Task #87886: Switch styles.content.get in TS created in Install Tool)
Updated by Chris W almost 5 years ago
In my TYPO3 9.5.13 editors can't create activated be-users as well. Only admins can create enabled be-users by sys_action.
Updated by Riccardo De Contardi over 4 years ago
- Related to Bug #89779: Editors cannot enable beuser created with taskcenter added
Updated by Riccardo De Contardi over 4 years ago
I add here the description of the issue #89779 to keep track of it
If an editor creates a new backend user with the taskcenter the new user is created "hidden". Thus rendering the new backend user useless. Editing the new be_user in the taskcenter doesn't help. The hidden flag is always set anew on saving.
Since editing rights for be_user datasets cannot be made available to editors, there is no other way than to ask an administrator/integrator to activate newly created be_users.Currently, we are running on TYPO3 9.5.11.
Our task setup was established in TYPO3 6.2 and worked reliable with 7.6 and 8.7, too. New beusers are created disabled since we updated to TYPO3 9.5 a while back.Did we miss any changes in the creation of backend users through the taskcenter or is it a bug? Atm it looks like the DataHandler does not accept certain actions if they are triggered by a non-admin. If creating/editing be_users in the taskcenter as an admin everything works as expected.
Steps to reproduce:
- create a be_group, grant its members rights top use the taskcenter and assign any editor.
- create a task to create be_users and assign it to the be_group.
- change into the editors account and create a new enabled be_user.
Updated by Susanne Moog over 4 years ago
- Status changed from Accepted to Closed
The extension sys_action has moved to https://github.com/FriendsOfTYPO3/sys_action - if this issue is still relevant, please report it there.