Project

General

Profile

Actions

Bug #89449

closed

Option "access" is ignored for backend routes

Added by Markus Poerschke over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Won't have this time
Category:
Backend API
Target version:
-
Start date:
2019-10-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

As mentioned in the official documentation, a backend route can be configured as publicly accessible by using the "access" property:

»The “public” access property indicates that no authentication is required for that action.«

But, when a route is added and marked as "public", still a redirect response is returned if the user is not logged in. The reason is, that only paths defined in \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes are accessible without login.

A small hint, that this is not possible is mentioned in the documentation:

»Currently the "access" property is only used so no token creation + validation is made, but will be extended further.«

We are currently working on a custom backend login provider for TYPO3 v9, which requires to perform an AJAX request to the TYPO3 system. This request will occur before the backend user is logged in. We tried this by adding a new route to Configuration/Backend/AjaxRoutes.php, but the request is constantly redirected to the login.

I would like to provide a fix for v9 and a sepearte fix for v10, because some methods and properties can be removed.

The fix looks more or less as following:

  • match the route in a PSR-15 middleware before BackendUserAuthenticator
  • use the "access" property of the route to indicate if the route can be accessed publicly

Breaking changes (for TYPO3 v10) are:

  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes
  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::isLoggedInBackendUserRequired
Actions #1

Updated by Markus Poerschke over 4 years ago

  • Description updated (diff)
Actions #2

Updated by Gerrit Code Review over 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62034

Actions #3

Updated by Gerrit Code Review over 4 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

Actions #4

Updated by Gerrit Code Review over 4 years ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62034

Actions #5

Updated by Gerrit Code Review over 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

Actions #6

Updated by Gerrit Code Review over 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

Actions #7

Updated by Gerrit Code Review over 4 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

Actions #8

Updated by Markus Poerschke over 4 years ago

  • Assignee set to Markus Poerschke
  • Priority changed from Should have to Won't have this time
  • % Done changed from 0 to 100

The change is not needed since an easy workaround in the third-party extension can solve the problem. The backend routes registration will be reworked in v10, therefore this change is obsolete.

See review for version 10 for more information.

Actions #9

Updated by Susanne Moog about 4 years ago

  • Status changed from Under Review to Closed
Actions

Also available in: Atom PDF