Project

General

Profile

Actions

Bug #89449

closed

Option "access" is ignored for backend routes

Added by Markus Poerschke about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Won't have this time
Category:
Backend API
Target version:
-
Start date:
2019-10-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

As mentioned in the official documentation, a backend route can be configured as publicly accessible by using the "access" property:

»The “public” access property indicates that no authentication is required for that action.«

But, when a route is added and marked as "public", still a redirect response is returned if the user is not logged in. The reason is, that only paths defined in \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes are accessible without login.

A small hint, that this is not possible is mentioned in the documentation:

»Currently the "access" property is only used so no token creation + validation is made, but will be extended further.«

We are currently working on a custom backend login provider for TYPO3 v9, which requires to perform an AJAX request to the TYPO3 system. This request will occur before the backend user is logged in. We tried this by adding a new route to Configuration/Backend/AjaxRoutes.php, but the request is constantly redirected to the login.

I would like to provide a fix for v9 and a sepearte fix for v10, because some methods and properties can be removed.

The fix looks more or less as following:

  • match the route in a PSR-15 middleware before BackendUserAuthenticator
  • use the "access" property of the route to indicate if the route can be accessed publicly

Breaking changes (for TYPO3 v10) are:

  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes
  • removal of \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::isLoggedInBackendUserRequired
Actions

Also available in: Atom PDF