Bug #89449

Option "access" is ignored for backend routes

Added by Markus Poerschke about 1 month ago. Updated 17 days ago.

Status:
Under Review
Priority:
Won't have this time
Category:
Backend API
Target version:
-
Start date:
2019-10-18
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

As mentioned in the official documentation, a backend route can be configured as publicly accessible by using the "access" property:

»The “public” access property indicates that no authentication is required for that action.«

But, when a route is added and marked as "public", still a redirect response is returned if the user is not logged in. The reason is, that only paths defined in \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes are accessible without login.

A small hint, that this is not possible is mentioned in the documentation:

»Currently the "access" property is only used so no token creation + validation is made, but will be extended further.«

We are currently working on a custom backend login provider for TYPO3 v9, which requires to perform an AJAX request to the TYPO3 system. This request will occur before the backend user is logged in. We tried this by adding a new route to Configuration/Backend/AjaxRoutes.php, but the request is constantly redirected to the login.

I would like to provide a fix for v9 and a sepearte fix for v10, because some methods and properties can be removed.

The fix looks more or less as following:

  • match the route in a PSR-15 middleware before BackendUserAuthenticator
  • use the "access" property of the route to indicate if the route can be accessed publicly

Breaking changes (for TYPO3 v10) are:

  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes
  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::isLoggedInBackendUserRequired

History

#1 Updated by Markus Poerschke about 1 month ago

  • Description updated (diff)

#2 Updated by Gerrit Code Review about 1 month ago

  • Status changed from New to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62034

#3 Updated by Gerrit Code Review about 1 month ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

#4 Updated by Gerrit Code Review about 1 month ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62034

#5 Updated by Gerrit Code Review about 1 month ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

#6 Updated by Gerrit Code Review 19 days ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

#7 Updated by Gerrit Code Review 17 days ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62035

#8 Updated by Markus Poerschke 17 days ago

  • Assignee set to Markus Poerschke
  • Priority changed from Should have to Won't have this time
  • % Done changed from 0 to 100

The change is not needed since an easy workaround in the third-party extension can solve the problem. The backend routes registration will be reworked in v10, therefore this change is obsolete.

See review for version 10 for more information.

Also available in: Atom PDF